Roguetadhg wrote: » Normal 'users' don't know they're way around.
phoeneous wrote: » Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!
Jason0352 wrote: » Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations. Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC. Thanks for the 802.1X recommends, too bad we can't field that in our network.
YFZblu wrote: » Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port. But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.
RouteMyPacket wrote: » You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.
Jason0352 wrote: » That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.
Apollo80 wrote: » If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.
veritas_libertas wrote: » I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.
Jason0352 wrote: » Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC. How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in. Only way I could think of is to tie our access vlans to AD and authenticate that way?? Appreciate any input from you guys.
