Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 26, 2013 8:29 PM
I want to create a Windows Firewall inbound rule to allow an inbound connection to a specific port only if the remote device is identified with a MAC Address in a subset of MAC Addresses I predefine. Effectively, loose device authentication, not network authentication (IP Address-based). Is it possible to do this with Windows Firewall?
Thanks
All replies (6)
Friday, December 27, 2013 12:02 PM ✅Answered | 1 vote
Hi,
First, unfortunately it's not possible to do authentication by mac-address in windows firewall.
Secondly, "authentication" with a mac-address can sound like a smart idea at first look but for two reasons it's not as good as you might think
1. A server (or a device) only knows the mac-addresses of devices in the same broadcast domain they reside in themselves, that means you can only filter on devices in the same subnets. Since it's not possible with Windows Firewall, the way you sort of like could achieve this is with static arp entries (you hard code a specific ip address to a specific mac-address as in my example below). However not something i would recommend you doing.
> arp -s 157.55.85.212 00-aa-00-62-c6-09 .... Adds a static entry.
2. Since it's quite easy to spoof mac-addresses, It would be quite easy to steal the "real" device ip address and mac address and in that way get "authenticated".
If it's windows devices you are working with, I would instead recommend you looking in to Connection Security Rules with windows firewall, where you can use AD Users/Groups to authenticate traffic.
MCT | MCSE: Private Cloud/Server, Desktop Infrastructure
Saturday, December 28, 2013 8:54 PM ✅Answered
Most organizations make end user services like webmail and so on available directly from the internet (over ssl of course). But when it comes to remote access for administration that I am guessing you want to achieve, most organisations use some kind of VPN(virtual private network)-solution and depending on their security demands they have one or more factors of authentication required to gain access. You may have this functionality in your firewall and if not, Windows Server comes with several remote access solutions included (DirectAccess and different kinds of VPN.) Read more about setting that up on for example http://technet.microsoft.com/en-us/library/cc725734(v=ws.10).aspx and http://blogs.msdn.com/b/canberrapfe/archive/2012/07/12/simple-direct-access-setup-with-windows-server-2012-rp.aspx With a VPN connection active your client will be in your 'internal' network and be able to access those resources like your were in the office (applies to most services...) Hope this gives you some help on your way!
MCT | MCSE: Private Cloud/Server, Desktop Infrastructure
Friday, December 27, 2013 6:37 PM | 1 vote
Interesting, I did not know this. Are you saying when a network request passes through a gateway, that the gateway overwrites the original client's MAC address? I understand proxy scenarios but I am only concerned about allowing specific persistent peer-to-peer connections at the moment.
I am trying to limit connections to phones as well as PCs, so AD won't work in this case.
Saturday, December 28, 2013 2:59 PM
Hi,
You could put it like that if you'd like.
So, when you go from using arp and speaking directly between the devices in your subnet to using a router (default gateway), your mac-address is not passed along with the packets you are sending regardless of where the final destination are. Read more about this on for example: http://en.wikipedia.org/wiki/OSI_model (Layer 2 and Layer 3).
What are you actually trying to achieve? Do you want to filter out certain devices from connecting to a specific server or what do you want to do?
//Johan
MCT | MCSE: Private Cloud/Server, Desktop Infrastructure
Saturday, December 28, 2013 8:13 PM
Thank you for the very informative response.
What you mentioned is exactly what I am trying to achieve. On my router I have port forwarding to my server for things such as Remote Desktop (3389) and ports for my XProtect security camera service. The thing is, I don't want anybody else on the internet from knowing those ports are available. I have some laptops and phones I want to allow through. And I don't know all the IP addresses where my phones and laptops may be (Starbucks, etc). Therefore, I was trying to simply filter inbound requests by MAC Address.
It sounds like from what you are saying is that this is simply not possible. That's quite unfortunate. What do other people on the internet do to secure their private networks?
Thanks!
Wednesday, December 6, 2017 3:20 AM
Interesting, I did not know this. Are you saying when a network request passes through a gateway, that the gateway overwrites the original client's MAC address? I understand proxy scenarios but I am only concerned about allowing specific persistent peer-to-peer connections at the moment.
I am trying to limit connections to phones as well as PCs, so AD won't work in this case.
Any updates as far as an option goes for Windows 10 ?