+ Reply to Thread
Page 2 of 2 First 12
Results 26 to 27 of 27
  1. Senior Member DoubleNNs's Avatar
    Join Date
    Oct 2012
    Location
    Charlotte, NC
    Posts
    1,931

    Certifications
    A+, VCA-DCV, Linux+/LPIC-1, AWS CSA, AWS Dev, AWS SysOps, Project+ [Expired: Net+, Sec+, CCENT, CCNA]
    #26
    Quote Originally Posted by veritas_libertas View Post
    I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.
    Just chiming in to say that's true. Any user who has just enough tech skills to configure a home network (using the CD that comes w/ the router even) should be able to spoof a router MAC. I used to do it as a frosh in college so we could get our video game systems on the net. Other people used to do it to help w/ P2P networks. I didn't know what "Layer 2" was or even the technical name for what I was doing, just how to do it.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2012
    Posts
    222
    #27
    Quote Originally Posted by Jason0352 View Post
    Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

    How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

    Only way I could think of is to tie our access vlans to AD and authenticate that way??

    Appreciate any input from you guys.
    Are you sure it was a wireless router? If it was a standard user I'd look at it more like someone using Connectify or similar on their laptop. What was the spoofed MAC tied to?
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 2 First 12

Social Networking & Bookmarks