?
Solved

prevent MAC address Spoofing

Posted on 2010-09-19
9
Medium Priority
?
2,850 Views
Last Modified: 2012-05-10
hi.. All,
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS.  I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.

Thanks,
Peter
0
Comment
Question by:anishpeter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 7

Accepted Solution

by:
joelvp earned 2000 total points
ID: 33713428
I can only tell you about cisco. I assume you are talking about a dhcp environment.

The standard approach for prevention of mac address spoofing would be to first enable
dhcp snooping globally with:

ip dhcp snooping
ip dhcp snooping vlan <vlan-range>

for trusted ports ((uplink)switch ports to which a dhcp server is connected)
you have to disable dhcp snooping checking by designating the port as such by

interface <name of the interface>
ip dhcp snooping trust

A database of dhcp bindings is built in the switch and this one can be used
for checking the traffic:
Add the global command:

ip arp inspection vlan <vlan-range>

To enable arp inspection for specified vlans.

For more information I would recommend to check the manual for the specific
switch model and IOS version you have. Eg for 3750 switches with IOS 12.2(52),
you can goto http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swdynarp.html
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33713741
Hi..joelvp,
   I agree with you. But Let say I have my MAC address and IP address that I got from DHCP Server, in DHCP Snooping table. If I am offline an someone else is putting my IP as static in his system and changing his mac to my MAC address using Spoofing tools, will he be able to access network and do what ever can do with my credencials?

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 2000 total points
ID: 33713800
Hi Peter,

You would have to add ip source guard using the command on the interface:

ip verify source

This prevents traffic coming in from a port with different information then in the snooping database, so he cannot just assign a static ip address to his host.
Now if he duplicates your mac address as well and connects to another port and your pc is offline, the system will not be able to detect the difference between this and you just moving with your pc to another port. You would have to use something like port-security to protect from this type of attack. This can restrict certain mac addresses to certain ports.

DHCP snooping and dynamic arp inspection is only used to protect from Man in the middle attack. With this attack, the mac address in this case is not duplicated, but the arp cache is poisened, meaning that he is connecting your ip address to his mac address.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:anishpeter
ID: 33713839
Hi..joelvp,
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?

Thanks,
Peter
0
 
LVL 25

Expert Comment

by:madunix
ID: 33717657
implementing port security good be an option
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33717925
Hi.. madunix,
    I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 2000 total points
ID: 33718083
To answer you question about the TFTP: This is needed in case the switch reboots or looses power for one reason or another. It can then retain its database, otherwise it would block all traffic except DHCP requests after boot up.
About the other issues. You should go from the different attack types to the prevention mechanisms in stead of the other way round. What is the thing you want to handle most? If it is man in the middle attack by arp poisoning, then DAI is needed to mitigate. If it is to avoid users randomly using ip addresses (by which they could circumvent security sometimes, but this depends on the rest of your setup) then source guard is the way to protect. To avoid the attack of a mac address table overflow by an attacker generating a huge amount of different mac addresses, you can use port security or ip source guard. Both Source guard and DAI require the DHCP snooping database.
Make sure when doing DHCP snooping that you designate the uplinks as trusted ports or no one will get an ip address.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33718180
Hi.. joelvp,
  I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?

Thanks,
Peter
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33719214
Hi Peter, not sure about your saving to flash. Was the config saved properly? Maybe refer to it as disk0 or flash? Maybe ask this in another question. About the unmanaged switch, I dont think this is possible. Behind an untrusted port, you can have only one dhcp client.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question