Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

prevent MAC address Spoofing

Posted on 2010-09-19
9
Medium Priority
?
2,942 Views
Last Modified: 2012-05-10
hi.. All,
every one know MAC address spoofing is great threat. How this can be prevented in Cisco and Noretel ERS.  I know this can be done with802.1X Authentication. But any other workaround like DHCP Snooping, Dynamic ARP Inspection etc.

Thanks,
Peter
0
Comment
Question by:anishpeter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 7

Accepted Solution

by:
joelvp earned 2000 total points
ID: 33713428
I can only tell you about cisco. I assume you are talking about a dhcp environment.

The standard approach for prevention of mac address spoofing would be to first enable
dhcp snooping globally with:

ip dhcp snooping
ip dhcp snooping vlan <vlan-range>

for trusted ports ((uplink)switch ports to which a dhcp server is connected)
you have to disable dhcp snooping checking by designating the port as such by

interface <name of the interface>
ip dhcp snooping trust

A database of dhcp bindings is built in the switch and this one can be used
for checking the traffic:
Add the global command:

ip arp inspection vlan <vlan-range>

To enable arp inspection for specified vlans.

For more information I would recommend to check the manual for the specific
switch model and IOS version you have. Eg for 3750 switches with IOS 12.2(52),
you can goto http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swdynarp.html
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33713741
Hi..joelvp,
   I agree with you. But Let say I have my MAC address and IP address that I got from DHCP Server, in DHCP Snooping table. If I am offline an someone else is putting my IP as static in his system and changing his mac to my MAC address using Spoofing tools, will he be able to access network and do what ever can do with my credencials?

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 2000 total points
ID: 33713800
Hi Peter,

You would have to add ip source guard using the command on the interface:

ip verify source

This prevents traffic coming in from a port with different information then in the snooping database, so he cannot just assign a static ip address to his host.
Now if he duplicates your mac address as well and connects to another port and your pc is offline, the system will not be able to detect the difference between this and you just moving with your pc to another port. You would have to use something like port-security to protect from this type of attack. This can restrict certain mac addresses to certain ports.

DHCP snooping and dynamic arp inspection is only used to protect from Man in the middle attack. With this attack, the mac address in this case is not duplicated, but the arp cache is poisened, meaning that he is connecting your ip address to his mac address.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:anishpeter
ID: 33713839
Hi..joelvp,
Ok. I agree. I found evnthough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?

Thanks,
Peter
0
 
LVL 25

Expert Comment

by:madunix
ID: 33717657
implementing port security good be an option
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/port_sec.htm.
you could allow only 1 mac address per port and enable DHCP snooping globally and on each interface...
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33717925
Hi.. madunix,
    I once implimented port security and reverted back. The main problem I faced is the users working from different seats. Laptop users sometimes go to meeting rooms and work from other places. The overhead of administration became very heavy. So now i plan to impliment DHCP snooping, DAI and IP souce guard.
This is my finding. Eventhough DAI and IP souce guard is working in diffrent ways, DAI can also prevent IP soofing. Can You agree? Then what is need for IP souce guard.
 Also I can see DHCP Snooping database is built up when ever one computer is swicthed on. That what is the use of saving Snooping database to TFTP?"

Thanks,
Peter
0
 
LVL 7

Assisted Solution

by:joelvp
joelvp earned 2000 total points
ID: 33718083
To answer you question about the TFTP: This is needed in case the switch reboots or looses power for one reason or another. It can then retain its database, otherwise it would block all traffic except DHCP requests after boot up.
About the other issues. You should go from the different attack types to the prevention mechanisms in stead of the other way round. What is the thing you want to handle most? If it is man in the middle attack by arp poisoning, then DAI is needed to mitigate. If it is to avoid users randomly using ip addresses (by which they could circumvent security sometimes, but this depends on the rest of your setup) then source guard is the way to protect. To avoid the attack of a mac address table overflow by an attacker generating a huge amount of different mac addresses, you can use port security or ip source guard. Both Source guard and DAI require the DHCP snooping database.
Make sure when doing DHCP snooping that you designate the uplinks as trusted ports or no one will get an ip address.
0
 
LVL 1

Author Comment

by:anishpeter
ID: 33718180
Hi.. joelvp,
  I was trying to save database to a file in flash. it is saved but not loaded automatically upon reboot. Any idea?
I have some unmanaged 8 port switches, which is connected to a single port of Managed cisco swicth, where snooping,DAIand Ip souce guard configured. Only one machine is getting IP from DHCp and its address populated in Snooping databse. what I do to get access for other mechines?

Thanks,
Peter
0
 
LVL 7

Expert Comment

by:joelvp
ID: 33719214
Hi Peter, not sure about your saving to flash. Was the config saved properly? Maybe refer to it as disk0 or flash? Maybe ask this in another question. About the unmanaged switch, I dont think this is possible. Behind an untrusted port, you can have only one dhcp client.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question