A Method to Block Users via MAC Address Using the Sygate Personal Firewall to Complement ISA Firewall Security
I usually receive mail, especially from cable.net operators, asking how to block users via their MAC Address using ISA Server as user id or IP address based security restriction is not much highly secure as users on LAN can share there IP’s and User IDs. But changing MAC address is quite difficult (not impossible) as compare to changing IP or id.
I have an LAN environment with over 200 computers running 6 server's serving different services like web browsing, chat server, sharing server, Cs gaming server and others. The system I tested for this software is
- Windows 2000 Standalone Server
- Windows 2000 SP 4
- ISA Server 2000 Enterprise Edition with ISA SP 2.
First of all let me clear that using only an ISA firewall, you cannot block users via MAC Address, as ISA is an enterprise level firewall and manages multiple Ethernet broadcast segments, which makes MAC address control relatively useless. How, single Ethernet broadcast domain networks may benefit from this feature.
An alternate method to control source client address via MAC address is to use a device such as a managed switch, through which you can manage your switch via telnet or a web based management interface, that allows you to block IP addresses, ports, and MAC address.
Of course, managed switches cost premium prices and have the potential for costing much more than an ISA firewall on a low powered Intel platform computer. A most cost effective solution can be achieved via using third party tools, such as Sygate Personal Firewall (SPF), which can be purchased from Sygate and delivered either on CD or downloaded from an Internet store.
Download SPF, Run it's setup, and after completing its installation, it will prompt you to re-start your PC. Go ahead, but remember that after you restart the computer, it will block all traffic both inbound and outbound.
OPENING SPF TO ALLOW ALL TRAFFIC
Open SMC (Sygate Management Console), go to Tools/Advanced Rules, click on Add in Rule Description. Name it any name you like, such as Allow Rule.
In the Action tab, select Allow This Traffic, then click on OK. (If you remember, after installing ISA Server 2000, you have to create an Allow Rule in the Protocol Rules section in order to open the ISA firewall for all traffic outbound, same theory is applied to SMC)
Now you have opened your firewall for all traffic including the ISA firewall’s traffic. It will not further interrupt traffic through the ISA firewall.
Now let's move on to how to block users via MAC address.
There are two ways to block users: grant access to specific users only or deny access to specific users only.
Granting Access to Specific Users Only
If you want to allow specific users only, instead creating an allow rule for all users, create rules to allow access only for specific users. You have to create rules one by one for users (if you want to access control via MAC address), otherwise if you want to control them via IP address, then SPF has a variety of methods enabling you to control this.
DENYING Access to SPECIFIC USERS ONLY
In Advanced Rule Properties, add a new rule, In Description, enter your own description like BLOCK JOHN (IP=10.x.x.x)
On the Action tab Select Block this traffic (it is always set to Block this traffic by default whenever you create any new rule).
In the HOSTS section, Apply this rule to MAC address and then enter the MAC ADDRESS of the user you wanted to block. Select OK.
Now you can see your newly created rule along with the ALLOW RULE you have previously created. REMEMBER! Always put ALLOW RULE at the bottom of the list. In SMC, rules process in TOP TO DOWN order, like if ALLOW RULE is at the top, it will ignore all block rule which are down below this rule, So always put ALLOW RULE at the last number so SMC will first process the Block rules then the ALLOW RULE.
SPF (Syagte Personal Firewall) really helps me a lot in detecting intrusion attempts, flooding attacks, buffer overflow flow attacks, and others. SPF automatically blocks attacker's IP address for few minutes This and other options can be disabled/enabled or configured at the TOOLS/OPTIONS/SECURITY menu. You can configure many options to control user access to your server. You can block virus attacks from LAN users via adding a file like SVCHOST.EXE (which is commonly used by worms for flooding or RPC/DCOM buffer overflow attacks), then this application will not be able to seize ISA SERVER LAN adopter.
Personal Note from Syed Jahanzaib
At the end, I strongly recommend using licensed software, because if you are using it for commercial use and earning money from it, then you should pay for the software, as you are benefiting from the companies software development process.
I also recommend these software companies to review their license policy for 3rd world countries. For example, Windows XP home edition cost around $200US at our local market and the pirate copy (which include EVERY SOFTWARE like Windows 2000 ,Windows XP and others) costs me 40 CENTS per CD. I earn under $200US in a month, Someone please tell me that how can I buy such expensive software if my earning is under 200 $ per month?
Windows 2000 Server cost us $1000US and ISA Server 2000 cost us around $1500US. If I am running cyber cafe with around 6-8 PC’s and my monthly income is under $200US how can I purchase such expensive software? Should I stop using it because I don’t have money to buy and stop all my creativity and interest to learn new things?