It's possible to lock down a network from use by rogue machines (a laptop brought in from outside, for example), but it isn't easy. See these links for passing and blocking packets by MAC address:
But.. keep in mind that someone can spoof MAC addresses also. Some switches can "lock" a MAC address to a specific port, so if you have one of those, use the iptables stuff from the links above to pass only the addresses you already know. If you then can keep your all your offices and the switch under lock and key.. you might stop all but the most determined wanderers.
If you need to get more sophisticated (some machines have more access than others), combine this with DHCP that assigns specific IP addresses to specific MAC addresses. As long as you have that blocking switch, and no physical access to its ports, you can then be reasonably sure that a particular IP address really came from the machine you expected it to - or somebody drilled holes in your walls or otherwise physically compromised your network.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2012-06-17 Tony Lawrence
A common and not necessarily apocryphal example portrays a solo practitioner starved for business in a small town. A second lawyer then arrives, and they both prosper. (Deborah L. Rhode)