+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 27
  1. Member
    Join Date
    Jun 2009
    Location
    US
    Posts
    58

    Certifications
    A+, Sec+, CCNA, CCNA:S, CCNP
    #1

    Default MAC spoofing incident at work

    Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

    How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

    Only way I could think of is to tie our access vlans to AD and authenticate that way??

    Appreciate any input from you guys.
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Aug 2010
    Location
    Any local Coffee Shop
    Posts
    42

    Certifications
    A+, Net+, MSCE(2000), CCNA, Sec+, CISSP, CCNP R&S CCNP SEC CCDA
    #2
    I'm thinking 802.1x. Its pretty involved, but if you're that serious about access security it could solve your issue.
    Reply With Quote Quote  

  4. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,342

    Certifications
    CISSP
    #3
    I think you will need some kind of authentication solution. If they spoofed the MAC, then any layer2 protection (port security) just isn't going to work, AFAIK.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  5. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #4
    Like mochaaddict said, 802.1x is where you want to go - it exists to combat problems like this.
    Reply With Quote Quote  

  6. Matrix(Config)# Roguetadhg's Avatar
    Join Date
    Jan 2012
    Location
    SC
    Posts
    2,380

    Certifications
    #Cisco: NA #CompTIA: A.N.S
    #5
    did they catch that 'someone'? I'm amazed they were able to pull the MAC in the first place.
    Reply With Quote Quote  

  7. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,652

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #6
    If we are talking about the MAC address of the computer plugged into the port (their computer) it should be easy.
    Currently working on: Resting
    Reply With Quote Quote  

  8. Matrix(Config)# Roguetadhg's Avatar
    Join Date
    Jan 2012
    Location
    SC
    Posts
    2,380

    Certifications
    #Cisco: NA #CompTIA: A.N.S
    #7
    Normal 'users' don't know they're way around.
    Reply With Quote Quote  

  9. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,652

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #8
    Quote Originally Posted by Roguetadhg View Post
    Normal 'users' don't know they're way around.
    I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.
    Currently working on: Resting
    Reply With Quote Quote  

  10. Matrix(Config)# Roguetadhg's Avatar
    Join Date
    Jan 2012
    Location
    SC
    Posts
    2,380

    Certifications
    #Cisco: NA #CompTIA: A.N.S
    #9
    I've never seen that feature before on wireless routers. I've only garnered experience from one model of wireless routers - which I've seen at work, at neighbors and my own. the Linksys WRT54-g (?).

    From what I've seen here, a lot of people just use their mifi or phone for their mobile needs.
    Reply With Quote Quote  

  11. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #10
    Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Oct 2012
    Location
    VA, USA
    Posts
    23

    Certifications
    VCP 5, MCSE, MCITP: EA, CCNA, ITIL v3: Foundation, Security+
    #11
    Quote Originally Posted by phoeneous View Post
    Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!
    Very true. With the right administrative controls (i.e. Acceptable use policy) in place, your company could make a martyr of the individual(s) involved.
    Reply With Quote Quote  

  13. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #12
    What do you mean, they plugged it into the switch? Are you saying this is an IT person with physical access to the switch, or do you mean this is a user that plugged the router into a cubicle/office/lobby ethernet port?

    If untrustworthy individuals have physical access to the network infrastructure, I'm not sure there's much you can do other than fire the person and ensure only trustworthy people have access to the data closet.
    Reply With Quote Quote  

  14. Member
    Join Date
    Jun 2009
    Location
    US
    Posts
    58

    Certifications
    A+, Sec+, CCNA, CCNA:S, CCNP
    #13
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.
    Reply With Quote Quote  

  15. Matrix(Config)# Roguetadhg's Avatar
    Join Date
    Jan 2012
    Location
    SC
    Posts
    2,380

    Certifications
    #Cisco: NA #CompTIA: A.N.S
    #14
    What you're getting at is: It's going to happen again, and there's not a thing we can do.
    Reply With Quote Quote  

  16. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #15
    I agree; 802.1x is the only solution. I'm not sure why you can't use it, but without it you don't have much choice. Mac filtering is effective access control against non-savvy users, but it should never be treated as an effective security measure. It is too easy to spoof MAC addresses, and even an attacker who didn't actually possess an authorized device could probably get at one long enough to get its MAC.
    Reply With Quote Quote  

  17. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #16
    Quote Originally Posted by Jason0352 View Post
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.
    Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

    But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.
    Reply With Quote Quote  

  18. Junior Member
    Join Date
    Oct 2012
    Location
    VA, USA
    Posts
    23

    Certifications
    VCP 5, MCSE, MCITP: EA, CCNA, ITIL v3: Foundation, Security+
    #17
    Quote Originally Posted by Jason0352 View Post
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.
    If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.
    Reply With Quote Quote  

  19. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,652

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #18
    Quote Originally Posted by YFZblu View Post
    Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

    But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.
    I can understand your feelings from a Tech's perspective, but we also need to come to understand why employees do what they do. Was the employee simply trying to make his job easier to do? Did he want to use his laptop? There may be more going on than meets the eye. Was there a policy in place that says you can't do that, and is it readily known? Most employees are simply trying to get there job done, and more easily/quickly. Yes to us it's an obvious red flag, but to an employee it might simply be a way for him/her to get their job done easier.
    Currently working on: Resting
    Reply With Quote Quote  

  20. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #19
    I think you bring up a good point - What is the security policy? The fact that this person came to TE for ideas indicates to me there may not be one. Well, not a good one.
    Reply With Quote Quote  

  21. Matrix(Config)# Roguetadhg's Avatar
    Join Date
    Jan 2012
    Location
    SC
    Posts
    2,380

    Certifications
    #Cisco: NA #CompTIA: A.N.S
    #20
    However the willingness to embrace ideas from his needs and what actually gets done... that's not always left up to the people in the trenches. So to speak.

    S/he's being tied to regulations of out of country (overseas) at which point the MAC incident that led numerous unauthorized visitors.

    It sounds to me there is a security policy; it's just beyond his direct control. Time to start brown nosing!
    Reply With Quote Quote  

  22. Senior Member RouteMyPacket's Avatar
    Join Date
    Aug 2012
    Location
    Dallas
    Posts
    1,077

    Certifications
    CCWKIA (Cisco Certified Wannabe Know It All)
    #21
    You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.

    I have facilities people walking into my closets plugging in cameras and who knows what else so this is the route chosen for now. I am preparing to install a new switch in each IDF tied to my public network for this going forward.
    Reply With Quote Quote  

  23. Member
    Join Date
    Jun 2009
    Location
    US
    Posts
    58

    Certifications
    A+, Sec+, CCNA, CCNA:S, CCNP
    #22
    Quote Originally Posted by RouteMyPacket View Post
    You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.
    That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.
    Reply With Quote Quote  

  24. Senior Member RouteMyPacket's Avatar
    Join Date
    Aug 2012
    Location
    Dallas
    Posts
    1,077

    Certifications
    CCWKIA (Cisco Certified Wannabe Know It All)
    #23
    Quote Originally Posted by Jason0352 View Post
    That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.
    Well I tend to handle that by walking over to the offender and beating them into a living death! It's set precedence trust me!
    Reply With Quote Quote  

  25. Senior Member YFZblu's Avatar
    Join Date
    Nov 2011
    Posts
    1,423

    Certifications
    A+, N+, S+, CCNA, CCNA:Sec, GSEC, GCIH, GCFE
    #24
    Quote Originally Posted by Apollo80 View Post
    If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.
    /thread. If the company is not willing to invest in 802.1x, and not willing to hold employees terminally accountable for their actions, why even spend time/energy on it? Next time it could be worse, but they know that.
    Reply With Quote Quote  

  26. Member
    Join Date
    Jun 2009
    Location
    US
    Posts
    58

    Certifications
    A+, Sec+, CCNA, CCNA:S, CCNP
    #25
    Believe me, I would have no problem doing any of the aforementioned corrective measures if it were in fact a traditional company network. But to preserve OPSEC I will not disclose any more details of who or where I work. Thanks for all the help.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks