Solved

prevent MAC address Spoofing

Posted on 2010-09-19
9
2,639 Views
Last Modified: 2012-05-10
hi.. All,
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS.  I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.

Thanks,
Peter
0
Comment
Question by:anishpeter
  • 4
  • 4
9 Comments
 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 33713428
I can only tell you about cisco. I assume you are talking about a dhcp environment.

The standard approach for prevention of mac address spoofing would be to first enable
dhcp snooping globally with:

ip dhcp snooping
ip dhcp snooping vlan <vlan-range>

for trusted ports ((uplink)switch ports to which a dhcp server is connected)
you have to disable dhcp snooping checking by designating the port as such by

interface <name of the interface>
ip dhcp snooping trust

A database of dhcp bindings is built in the switch and this one can be used
for checking the traffic:
Add the global command:

ip arp inspection vlan <vlan-range>

To enable arp inspection for specified vlans.

For more information I would recommend to check the manual for the specific
switch model and IOS version you have. Eg for 3750 switches with IOS 12.2(52),
you can goto http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swdynarp.html
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33713741
Hi..joelvp,
   I agree with you. But Let say I have my MAC address and IP address that I got from DHCP Server, in DHCP Snooping table. If I am offline an someone else is putting my IP as static in his system and changing his mac to my MAC address using Spoofing tools, will he be able to access network and do what ever can do with my credencials?

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 500 total points
ID: 33713800
Hi Peter,

You would have to add ip source guard using the command on the interface:

ip verify source

This prevents traffic coming in from a port with different information then in the snooping database, so he cannot just assign a static ip address to his host.
Now if he duplicates your mac address as well and connects to another port and your pc is offline, the system will not be able to detect the difference between this and you just moving with your pc to another port. You would have to use something like port-security to protect from this type of attack. This can restrict certain mac addresses to certain ports.

DHCP snooping and dynamic arp inspection is only used to protect from Man in the middle attack. With this attack, the mac address in this case is not duplicated, but the arp cache is poisened, meaning that he is connecting your ip address to his mac address.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33713839
Hi..joelvp,
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?

Thanks,
Peter
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Expert Comment

by:madunix
ID: 33717657
implementing port security good be an option
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33717925
Hi.. madunix,
    I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 500 total points
ID: 33718083
To answer you question about the TFTP: This is needed in case the switch reboots or looses power for one reason or another. It can then retain its database, otherwise it would block all traffic except DHCP requests after boot up.
About the other issues. You should go from the different attack types to the prevention mechanisms in stead of the other way round. What is the thing you want to handle most? If it is man in the middle attack by arp poisoning, then DAI is needed to mitigate. If it is to avoid users randomly using ip addresses (by which they could circumvent security sometimes, but this depends on the rest of your setup) then source guard is the way to protect. To avoid the attack of a mac address table overflow by an attacker generating a huge amount of different mac addresses, you can use port security or ip source guard. Both Source guard and DAI require the DHCP snooping database.
Make sure when doing DHCP snooping that you designate the uplinks as trusted ports or no one will get an ip address.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33718180
Hi.. joelvp,
  I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?

Thanks,
Peter
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33719214
Hi Peter, not sure about your saving to flash. Was the config saved properly? Maybe refer to it as disk0 or flash? Maybe ask this in another question. About the unmanaged switch, I dont think this is possible. Behind an untrusted port, you can have only one dhcp client.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now