A Method to Block Users via MAC Address Using the Sygate Personal Firewall to Complement ISA Firewal

[LEFT][CODE]http://www.isaserver.org/articles/blockbymac.html[/CODE][LEFT]I usually receive mail, especially from cable.net operators, asking how to block users via their [B]MAC[/B] Address using [I]ISA Server [/I]as user id or IP address based security restriction is not much highly secure as users on LAN can share there IP’s and User IDs. But changing [B]MAC[/B] address is quite difficult (not impossible) as compare to changing IP or id.[/LEFT]
I have an LAN environment with over 200 computers running 6 server's serving different services like web browsing, chat server, sharing server, Cs gaming server and others. The system I tested for this software is

[LIST][*]Windows 2000 Standalone Server[*]Windows 2000 SP 4[*]ISA Server 2000 Enterprise Edition with ISA SP 2.[/LIST]
First of all let me clear that using only an ISA firewall, you cannot block users via [B]MAC[/B] Address, as ISA is an enterprise level firewall and manages multiple Ethernet broadcast segments, which makes MAC address control relatively useless. How, single Ethernet broadcast domain networks may benefit from this feature.
An alternate method to control source client address via MAC address is to use a device such as a [B]managed switch, [/B]through which you can manage your switch via telnet or a web based management interface, that allows you to block IP addresses, ports, and [B]MAC[/B] address.
Of course, managed switches cost premium prices and have the potential for costing much more than an ISA firewall on a low powered Intel platform computer. A most cost effective solution can be achieved via using third party tools, such as [B]Sygate Personal Firewall (SPF),[/B] which can be purchased from Sygate and delivered either on CD or downloaded from an Internet store.
Download [B]SPF[/B], Run it's setup, and after completing its installation, it will prompt you to re-start your PC. Go ahead, but remember that after you restart the computer, it will block [B]all traffic both [/B]inbound and outbound.
[B] OPENING SPF TO ALLOW ALL TRAFFIC
[/B] Open [B]SMC[/B] (Sygate Management Console), go to [B]Tools/Advanced Rules[/B], click on [B]Add[/B] in [B]Rule Description. [/B]Name it any name you like, such as [B]Allow Rule[/B].
[IMG]http://www.isaserver.org/img/upl/blockb11106915897735.gif[/IMG]
[FONT=Verdana] In the [B]Action [/B]tab, select [B]Allow This Traffic[/B], then click on [B]OK[/B]. (If you remember, after installing [I]ISA Server 2000[/I], you have to create an [B]Allow Rule [/B]in the [B]Protocol Rules [/B]section in order to open the ISA firewall for all traffic outbound, same theory is applied to [B]SMC[/B])
[IMG]http://www.isaserver.org/img/upl/blockb21106915897735.gif[/IMG]
Now you have opened your firewall for all traffic including the ISA firewall’s traffic. It will not further interrupt traffic through the ISA firewall.
Now let's move on to how to block users via MAC address.
There are two ways to block users: [B]grant[/B] access to specific users onlyor [B]deny[/B] access to specific users only.
[B] [B]Granting Access to Specific Users Only[/B]

[/B] If you want to allow specific users only, instead creating an allow rule for all users, create rules to allow access only for specific users. You have to create rules one by one for users (if you want to access control via [B]MAC [/B]address), otherwise if you want to control them via IP address, then [B]SPF[/B] has a variety of methods enabling you to control this.
[B] [B]DENYING Access to SPECIFIC USERS ONLY[/B]

[/B] In [B]Advanced Rule Properties, [/B]add a new rule, In [B]Description[/B], enter your own description like [B]BLOCK JOHN (IP=10.x.x.x)[/B]
[IMG]http://www.isaserver.org/img/upl/blockb31106915897751.gif[/IMG]
[/FONT][FONT=Verdana]On the [B]Action[/B] tab Select [B]Block this traffic [/B](it is always set to [B]Block this traffic [/B]by default whenever you create any new rule).[/FONT]
[FONT=Verdana]In the [B]HOSTS[/B] section, [B]Apply this rule to MAC address [/B]and then enter the [B]MAC[/B] ADDRESS of the user you wanted to block. Select [B]OK[/B].[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/blockb41106915897751.gif[/IMG][/FONT]
[FONT=Verdana]Now you can see your newly created rule along with the [B]ALLOW RULE[/B] you have previously created. [U]REMEMBER[/U]! Always put [B]ALLOW RULE[/B] at the bottom of the list. In [B]SMC[/B], rules process in [B]TOP TO DOWN[/B] order, like if [B]ALLOW RULE[/B] is at the top, it will ignore all block rule which are down below this rule, So always put [B]ALLOW RULE[/B] at the last number so [B]SMC[/B] will first process the Block rules then the [B]ALLOW RULE[/B].[/FONT]
[FONT=Verdana][B]SPF[/B] (Syagte Personal Firewall) really helps me a lot in detecting intrusion attempts, flooding attacks, buffer overflow flow attacks, and others. [B]SPF[/B] automatically blocks attacker's IP address for few minutes This and other options can be disabled/enabled or configured at the [B]TOOLS/OPTIONS/SECURITY[/B] menu. You can configure many options to control user access to your server. You can block virus attacks from LAN users via adding a file like [B]SVCHOST.EXE[/B] (which is commonly used by worms for flooding or RPC/DCOM buffer overflow attacks), then this application will not be able to seize [I]ISA SERVER[/I] LAN adopter.[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/blockb51106915913735.gif[/IMG][/FONT]

[/LEFT]