Allow MAC address in Security Policy

pentasoft_albe
pentasoft_albe Posts: 17  Freshman Member
First Comment Friend Collector Third Anniversary
edited July 2 in Nebula Ideas
Hello, I would like to propose the possibility to create in Nebula security policies   based on MAC address as the IP-based ones are easily bypassed.

In a scenario where I want to block for example Youtube to a specific client just that this changes IP and bypasses the rule.

Thanks
1 votes

Active · Last Updated

Comments

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    In your application scenario, we would suggest you can config IP/MAC binding settings on Static DHCP table.


    Then creating a security policy to define that IP address would be blocked by a security profile(Content filter, App patrol).




    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • pentasoft_albe
    pentasoft_albe Posts: 17  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited April 2022
    Thank @Zyxel_Jeff you for your answer but this is not a definitive solution that can be applied to all scenarios.

    Of course it can be used in contexts where there are few clients but in a context where it is possible to reserve only a few IPs and there are several machines that alternate it becomes impractical and very time-consuming.

    And if the owner of the client with the MAC xx.xx.xx.xx.xx.xx changes the IP address by hand here is that the rule does not work.

    The right answer to this problem is to be able to directly apply the rule on the MAC and not to assign an IP address to a specific MAC and then apply the rule.

    I hope that this thing will be taken into account because it is particularly important, at least for me.

    Sorry for my bad english :)



  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 2022
    And whats stopping the client from changing their MAC ? same problem I mean OK I like the idea of doing firewall by MAC....

    Another way is to get a switch with DAI  (Dynamic ARP inspection) this forces all clients to do DHCP to get a IP meaning change the IP does not allow access so IP/MAC binding works...Until the user changes the MAC of coarse.. 
  • pentasoft_albe
    pentasoft_albe Posts: 17  Freshman Member
    First Comment Friend Collector Third Anniversary
    Ciao @PeterUK

    Changing MAC address is not as easy as changing IP but yes with your solution we have a strong authenticity of the client which means introducing more hardware and configuration.

    Taking your example I think even more that this possibility is almost an obligation to be included in Nebula because you have undergone a system that in any case significantly increases the capacity for action.

    For those who have the possibility the system you described (which I did not know) greatly increases the security of clients accessing the system.

    Sorry for my English

Nebula Tips & Tricks