Allow MAC address in Security Policy

pentasoft_albe
pentasoft_albe Posts: 9
First Anniversary Friend Collector
edited August 2022 in Nebula Ideas
Hello, I would like to propose the possibility to create in Nebula security policies   based on MAC address as the IP-based ones are easily bypassed.

In a scenario where I want to block for example Youtube to a specific client just that this changes IP and bypasses the rule.

Thanks
1 votes

Active · Last Updated

Comments

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    In your application scenario, we would suggest you can config IP/MAC binding settings on Static DHCP table.


    Then creating a security policy to define that IP address would be blocked by a security profile(Content filter, App patrol).



  • pentasoft_albe
    pentasoft_albe Posts: 9
    First Anniversary Friend Collector
    edited April 2022
    Thank @Zyxel_Jeff you for your answer but this is not a definitive solution that can be applied to all scenarios.

    Of course it can be used in contexts where there are few clients but in a context where it is possible to reserve only a few IPs and there are several machines that alternate it becomes impractical and very time-consuming.

    And if the owner of the client with the MAC xx.xx.xx.xx.xx.xx changes the IP address by hand here is that the rule does not work.

    The right answer to this problem is to be able to directly apply the rule on the MAC and not to assign an IP address to a specific MAC and then apply the rule.

    I hope that this thing will be taken into account because it is particularly important, at least for me.

    Sorry for my bad english :)



  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2022
    And whats stopping the client from changing their MAC ? same problem I mean OK I like the idea of doing firewall by MAC....

    Another way is to get a switch with DAI  (Dynamic ARP inspection) this forces all clients to do DHCP to get a IP meaning change the IP does not allow access so IP/MAC binding works...Until the user changes the MAC of coarse.. 
  • Ciao @PeterUK

    Changing MAC address is not as easy as changing IP but yes with your solution we have a strong authenticity of the client which means introducing more hardware and configuration.

    Taking your example I think even more that this possibility is almost an obligation to be included in Nebula because you have undergone a system that in any case significantly increases the capacity for action.

    For those who have the possibility the system you described (which I did not know) greatly increases the security of clients accessing the system.

    Sorry for my English

Nebula Tips & Tricks