MAC spoofing incident at work

Jason0352

Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

Only way I could think of is to tie our access vlans to AD and authenticate that way??

Appreciate any input from you guys.

mochaaddict

I'm thinking 802.1x. Its pretty involved, but if you're that serious about access security it could solve your issue.

NotHackingYou

I think you will need some kind of authentication solution. If they spoofed the MAC, then any layer2 protection (port security) just isn't going to work, AFAIK.

astorrs

Like mochaaddict said, 802.1x is where you want to go - it exists to combat problems like this.

Roguetadhg

did they catch that 'someone'? I'm amazed they were able to pull the MAC in the first place.

veritas_libertas

If we are talking about the MAC address of the computer plugged into the port (their computer) it should be easy.

Roguetadhg

Normal 'users' don't know they're way around.

veritas_libertas

Roguetadhg wrote: »

Normal 'users' don't know they're way around.

I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.

Roguetadhg

I've never seen that feature before on wireless routers. I've only garnered experience from one model of wireless routers - which I've seen at work, at neighbors and my own. the Linksys WRT54-g (?).

From what I've seen here, a lot of people just use their mifi or phone for their mobile needs.

phoeneous

Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!

Apollo80

phoeneous wrote: »

Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!

Very true. With the right administrative controls (i.e. Acceptable use policy) in place, your company could make a martyr of the individual(s) involved.

YFZblu

What do you mean, they plugged it into the switch? Are you saying this is an IT person with physical access to the switch, or do you mean this is a user that plugged the router into a cubicle/office/lobby ethernet port?

If untrustworthy individuals have physical access to the network infrastructure, I'm not sure there's much you can do other than fire the person and ensure only trustworthy people have access to the data closet.

Jason0352

Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

Thanks for the 802.1X recommends, too bad we can't field that in our network.

Roguetadhg

What you're getting at is: It's going to happen again, and there's not a thing we can do.

ptilsen

I agree; 802.1x is the only solution. I'm not sure why you can't use it, but without it you don't have much choice. Mac filtering is effective access control against non-savvy users, but it should never be treated as an effective security measure. It is too easy to spoof MAC addresses, and even an attacker who didn't actually possess an authorized device could probably get at one long enough to get its MAC.

YFZblu

Jason0352 wrote: »

Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

Thanks for the 802.1X recommends, too bad we can't field that in our network.

Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.

Apollo80

Jason0352 wrote: »

Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

Thanks for the 802.1X recommends, too bad we can't field that in our network.

If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.

veritas_libertas

YFZblu wrote: »

Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.

I can understand your feelings from a Tech's perspective, but we also need to come to understand why employees do what they do. Was the employee simply trying to make his job easier to do? Did he want to use his laptop? There may be more going on than meets the eye. Was there a policy in place that says you can't do that, and is it readily known? Most employees are simply trying to get there job done, and more easily/quickly. Yes to us it's an obvious red flag, but to an employee it might simply be a way for him/her to get their job done easier.

YFZblu

I think you bring up a good point - What is the security policy? The fact that this person came to TE for ideas indicates to me there may not be one. Well, not a good one.

Roguetadhg

However the willingness to embrace ideas from his needs and what actually gets done... that's not always left up to the people in the trenches. So to speak.

S/he's being tied to regulations of out of country (overseas) at which point the MAC incident that led numerous unauthorized visitors.

It sounds to me there is a security policy; it's just beyond his direct control. Time to start brown nosing!

RouteMyPacket

You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.

I have facilities people walking into my closets plugging in cameras and who knows what else so this is the route chosen for now. I am preparing to install a new switch in each IDF tied to my public network for this going forward.

Jason0352

RouteMyPacket wrote: »

You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.

That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.

RouteMyPacket

Jason0352 wrote: »

That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.

Well I tend to handle that by walking over to the offender and beating them into a living death! It's set precedence trust me!

YFZblu

Apollo80 wrote: »

If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.

/thread. If the company is not willing to invest in 802.1x, and not willing to hold employees terminally accountable for their actions, why even spend time/energy on it? Next time it could be worse, but they know that.

Jason0352

Believe me, I would have no problem doing any of the aforementioned corrective measures if it were in fact a traditional company network. But to preserve OPSEC I will not disclose any more details of who or where I work. Thanks for all the help.

DoubleNNs

veritas_libertas wrote: »

I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.

Just chiming in to say that's true. Any user who has just enough tech skills to configure a home network (using the CD that comes w/ the router even) should be able to spoof a router MAC. I used to do it as a frosh in college so we could get our video game systems on the net. Other people used to do it to help w/ P2P networks. I didn't know what "Layer 2" was or even the technical name for what I was doing, just how to do it.

xXErebuS

Jason0352 wrote: »

Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

Only way I could think of is to tie our access vlans to AD and authenticate that way??

Appreciate any input from you guys.

Are you sure it was a wireless router? If it was a standard user I'd look at it more like someone using Connectify or similar on their laptop. What was the spoofed MAC tied to?