DickDigggler

Q: Ethernet security

Our IT department has our machines locked down by MAC address, so only our systems can access the internet. With the new thunderbolt display, it has it's own MAC address. My problem with my IT department is is they let the display on the network, anyone with a thunderbolt equipped Mac could access our network.

 

Anyone with any suggestions? Thanks for any reply.

Posted on Sep 21, 2011 12:06 PM

Close

Q: Ethernet security

  • All replies
  • Helpful answers

  • by Smudge,

    Smudge Smudge Sep 21, 2011 9:04 PM in response to DickDigggler
    Level 1 (131 points)
    Mac OS X
    Sep 21, 2011 9:04 PM in response to DickDigggler

    Um, MAC addresses are unique for every ethernet device.  It won't conflict with other ThunderBolt displays.

     

    The only possibility of conflict, and it would be cool if it did it, is if the display mirrored the MAC address of the connected computer.  That way your IT department wouldn't have to change your authorization as the MAC address would be the same.  You would just have to be sure that you don't have ethernet connected to both at the same time (which I doubt you would ever have to do).

  • by DickDigggler,

    DickDigggler DickDigggler Sep 22, 2011 4:03 AM in response to Smudge
    Level 1 (10 points)
    Sep 22, 2011 4:03 AM in response to Smudge

    That is correct and the Thunderbolt display has an Ethernet Display port in Network Prefs. It has it's own unique MAC address. So in order for me to use the display ethernet port, THAT address needs to be used, not my MacBook Pro MAC address. In the end it is a security risk as the display when connected to our network is the same as an open port, meaning that anyone with a thunderbolt mac can plug in and go.

     

    And I agree, mirroring would solve it. or setting the display with it's own lockscreen.

  • by Mario_MM,Helpful

    Mario_MM Mario_MM Sep 22, 2011 8:53 AM in response to DickDigggler
    Level 3 (745 points)
    Sep 22, 2011 8:53 AM in response to DickDigggler

    Using 'ifconfig' you can set the MAC address to any value you like. Assuming your Thunderbolt display has the interface name en3 you could for example change its MAC address using 'ifconfig en3 ether 00:01:02:03:04:05'. If you use the address of your MacBook Pro instead of 00:01:02:03:04:05 you should be able to gain access to the network. But that might violate some rules, so check with your IT department first.

  • by DickDigggler,

    DickDigggler DickDigggler Sep 22, 2011 9:09 AM in response to Mario_MM
    Level 1 (10 points)
    Sep 22, 2011 9:09 AM in response to Mario_MM

    It does have en3 as the interface name. I will look up the ternimal command to change it. Thanks.

  • by Smudge,

    Smudge Smudge Sep 22, 2011 10:16 AM in response to DickDigggler
    Level 1 (131 points)
    Mac OS X
    Sep 22, 2011 10:16 AM in response to DickDigggler

    The ifconfig command to change it (as root user or using sudo) is simply "ifconfig en3 lladdr 00:11:22:33:44:55" of course inserting your MAC address.

     

    You will need to do some testing because normally the command to change the address is only valid during that boot.  When you reboot the computer, it would reset the address back to the hardcoded address.  However since it is in the display and it doesn't reboot like a computer, I'm not sure what would happen.  It might keep the address or it might reset it when you disconnect.  Is there another TB-enabled laptop you can borrow to test it to see if the address stays changed when you switch connected computers?

     

    If not, you would have to write a script to change it every time you connect so that it would set the display's MAC address (en3) to the same as your laptop's ethernet (en0).

     

    If it doesn't work out and there is a security risk, your IT department might want to look into locking out the TB's MAC address from the network and require you to continue connecting the ethernet to your laptop.  Not ideal but IT security policies hardly ever are.

     

    Another idea they might want to look into is to use an ethernet port lock so that someone can't use the TB's ethernet port at all.

     

     

    Either way, please post back with your findings/solution as I'm very interested to know how this turns out.

  • by DickDigggler,

    DickDigggler DickDigggler Sep 22, 2011 12:29 PM in response to Smudge
    Level 1 (10 points)
    Sep 22, 2011 12:29 PM in response to Smudge

    I do not have another TB system. The MAC address did reset to the displays address. I needed to run ifconfig again to change it.

  • by DickDigggler,

    DickDigggler DickDigggler Sep 23, 2011 6:16 AM in response to DickDigggler
    Level 1 (10 points)
    Sep 23, 2011 6:16 AM in response to DickDigggler

    UPDATE:

     

    Found another TB Mac. Launched mine and ran the command from terminal. Made sure I had a good connection then closed the lid and put it to sleep. Unplugged the TB displayport and plugged it in to an already on 2nd TB system. Could not access anything online, and the MAC address reported from the ifconfig to be the original MAC of the display. Shut down the 2nd system and plugged the port back into mine. Woke from sleep and was still connected, I did not need to run the command again.

     

    I will be making a script to put in my dock to run at boot or after a restart and shutdown. The laptop has to be connected to the screen to see the en3 port so don't want to do it at boot since I might not have it plugged in.

     

    Thanks for all the help.

  • by nicholasfromnottingham,

    nicholasfromnottingham nicholasfromnottingham Sep 23, 2011 8:55 AM in response to DickDigggler
    Level 1 (0 points)
    Sep 23, 2011 8:55 AM in response to DickDigggler

    Well the problem fundemtally is that your IT department should not be authenticating / restricting by MAC address. It is an absurd, completely insecure thing to do.

     

    They should be using 802.1X instead, which would not be affected.

  • by Smudge,

    Smudge Smudge Sep 23, 2011 11:59 AM in response to nicholasfromnottingham
    Level 1 (131 points)
    Mac OS X
    Sep 23, 2011 11:59 AM in response to nicholasfromnottingham

    Good to hear you have found a fix but I agree that your IT dept shouldn't be using that method.  As you have done, it isn't difficult to change a MAC address to a known authenticated address and gain network access.

  • by DickDigggler,

    DickDigggler DickDigggler Sep 23, 2011 12:03 PM in response to Smudge
    Level 1 (10 points)
    Sep 23, 2011 12:03 PM in response to Smudge

    I agree. It amazed me how easy it was to spoof the address. Unfortunately talking to our IT about how they should run the network, well... not an easy thing to do with that Meyers Brigg type. I will have to research that 802.1X security and bring it it up maybe. Always thought that was just for wireless access.

  • by Mr.MacHine,

    Mr.MacHine Mr.MacHine Sep 29, 2011 8:37 AM in response to nicholasfromnottingham
    Level 1 (0 points)
    Sep 29, 2011 8:37 AM in response to nicholasfromnottingham

    Our IT department uses 802.1X as well as registered MAC addresses for hardwired machines.  It is just a belt plus suspenders approach to prevent users from adding a lot of hardware on the network and creating problems (this is a university and you can't trust us faculty or those students...)

     

    The problem with cloning your MB address to the display is when you walk away from your desk and plug in the MB into another Ethernet port - you now have two devices with the same MAC address which can make the IT department most unhappy.

     

    Just register another MAC address for the TD and go on your merry way. (Now, if MAC filtering is all IT uses for access control, you have bigger problems...)

     

    (By the way, people who are complaining that their Ethernet is broken may be experiencing the Wrath of IT.  I didn't realize the TD had an Ethernet port when I ordered it and was pleased to discover one.  My system at home doesn't do MAC filtering and things worked from the start, but at work, I just saw a non-responsive Ethernet device until I realized the TD was a router and not a hub)

  • by ttcheng@rci,

    ttcheng@rci ttcheng@rci Apr 22, 2016 7:28 AM in response to Mr.MacHine
    Level 1 (8 points)
    iTunes
    Apr 22, 2016 7:28 AM in response to Mr.MacHine

    I have a scenario where a company uses MAC (as one of many) means to identify and authorize network access. Once the MAC is approved, it gets an valid IP via DHCP. 

     

    We were not allowed to use Thunderbolt's ethernet port because an unauthorized Mac can be attached to the Display and then have access to the network. Yes, the intruding device would not have authorization credentials, but the intruding device isn't restricted form attacking the network.

     

    Is there a way, to prevent a thunderbolt display being attached to the network unless the attaching Mac is authorized?