MAC spoofing incident at work

Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

Only way I could think of is to tie our access vlans to AD and authenticate that way??

Appreciate any input from you guys.

Comments

  • mochaaddictmochaaddict Member Posts: 42 ■■□□□□□□□□
    I'm thinking 802.1x. Its pretty involved, but if you're that serious about access security it could solve your issue.
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I think you will need some kind of authentication solution. If they spoofed the MAC, then any layer2 protection (port security) just isn't going to work, AFAIK.
    When you go the extra mile, there's no traffic.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Like mochaaddict said, 802.1x is where you want to go - it exists to combat problems like this.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    did they catch that 'someone'? I'm amazed they were able to pull the MAC in the first place.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    If we are talking about the MAC address of the computer plugged into the port (their computer) it should be easy.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    Normal 'users' don't know they're way around.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Roguetadhg wrote: »
    Normal 'users' don't know they're way around.

    I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    I've never seen that feature before on wireless routers. I've only garnered experience from one model of wireless routers - which I've seen at work, at neighbors and my own. the Linksys WRT54-g (?).

    From what I've seen here, a lot of people just use their mifi or phone for their mobile needs.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!
  • Apollo80Apollo80 Member Posts: 24 ■□□□□□□□□□
    phoeneous wrote: »
    Hope you have an acceptable use policy that they've signed. I'd fire that person in a heartbeat!

    Very true. With the right administrative controls (i.e. Acceptable use policy) in place, your company could make a martyr of the individual(s) involved.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    What do you mean, they plugged it into the switch? Are you saying this is an IT person with physical access to the switch, or do you mean this is a user that plugged the router into a cubicle/office/lobby ethernet port?

    If untrustworthy individuals have physical access to the network infrastructure, I'm not sure there's much you can do other than fire the person and ensure only trustworthy people have access to the data closet.
  • Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    What you're getting at is: It's going to happen again, and there's not a thing we can do.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    I agree; 802.1x is the only solution. I'm not sure why you can't use it, but without it you don't have much choice. Mac filtering is effective access control against non-savvy users, but it should never be treated as an effective security measure. It is too easy to spoof MAC addresses, and even an attacker who didn't actually possess an authorized device could probably get at one long enough to get its MAC.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Jason0352 wrote: »
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.

    Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

    But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.
  • Apollo80Apollo80 Member Posts: 24 ■□□□□□□□□□
    Jason0352 wrote: »
    Should have been more clear; it was a user who plugged into their wall port, not the switch. Unfortunately I'm in a unique situation overseas where we can't 'fire' someone for network violations.

    Supposedly this user is also is in the communications field so he was more than capable of spoofing his MAC.

    Thanks for the 802.1X recommends, too bad we can't field that in our network.

    If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    YFZblu wrote: »
    Was it a spare wall port? Or did the user unplug his/her computer from the network and use that one? If it was a spare, you need to add that port to a parking lot VLAN and disable the port.

    But yeah, the person needs to be fired. Sure, you can band aid this problem by implementing more security, but you shouldn't be focusing on DHCP issues - You should be focusing on the real threat, which is the employee in your offices actively trying to harm the business. Threatening litigation against this person would not be a bad idea, btw.

    I can understand your feelings from a Tech's perspective, but we also need to come to understand why employees do what they do. Was the employee simply trying to make his job easier to do? Did he want to use his laptop? There may be more going on than meets the eye. Was there a policy in place that says you can't do that, and is it readily known? Most employees are simply trying to get there job done, and more easily/quickly. Yes to us it's an obvious red flag, but to an employee it might simply be a way for him/her to get their job done easier.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I think you bring up a good point - What is the security policy? The fact that this person came to TE for ideas indicates to me there may not be one. Well, not a good one.
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    However the willingness to embrace ideas from his needs and what actually gets done... that's not always left up to the people in the trenches. So to speak.

    S/he's being tied to regulations of out of country (overseas) at which point the MAC incident that led numerous unauthorized visitors.

    It sounds to me there is a security policy; it's just beyond his direct control. Time to start brown nosing!
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.

    I have facilities people walking into my closets plugging in cameras and who knows what else so this is the route chosen for now. I am preparing to install a new switch in each IDF tied to my public network for this going forward.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
    You are going to like this, but the most generic way to ensure people don't plug things into my switch gear currently is to only patch in the switches active ports and admin shut the remainder until requested/needed.

    That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    Jason0352 wrote: »
    That is our policy also, but whenever the user unplugs his active patch cable from his approved computer to his home brand wireless router there's not a whole lot that policy can save you from.

    Well I tend to handle that by walking over to the offender and beating them into a living death! It's set precedence trust me! icon_twisted.gif
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Apollo80 wrote: »
    If there is no accountability for following the rules, then this MAC spoofing incident could prove to be quite tame compared to future violations.

    /thread. If the company is not willing to invest in 802.1x, and not willing to hold employees terminally accountable for their actions, why even spend time/energy on it? Next time it could be worse, but they know that.
  • Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
    Believe me, I would have no problem doing any of the aforementioned corrective measures if it were in fact a traditional company network. But to preserve OPSEC I will not disclose any more details of who or where I work. Thanks for all the help.
  • DoubleNNsDoubleNNs Member Posts: 2,015 ■■■■■□□□□□
    I guess I'm suspecting it's not a normal user since they brought their wireless router to work. Also, many wireless routers will walk you through cloning your MAC address to it.

    Just chiming in to say that's true. Any user who has just enough tech skills to configure a home network (using the CD that comes w/ the router even) should be able to spoof a router MAC. I used to do it as a frosh in college so we could get our video game systems on the net. Other people used to do it to help w/ P2P networks. I didn't know what "Layer 2" was or even the technical name for what I was doing, just how to do it.
    Goals for 2018:
    Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
    Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
    To-do | In Progress | Completed
  • xXErebuSxXErebuS Member Posts: 230
    Jason0352 wrote: »
    Someone plugged a wireless router into one of our access switches at work yesterday. We use MAC white-listing through Server 2008 to allow clients to obtain an IP address and also use ip source guard on our access ports so users cant assign their own IP. Also have dhcp snooping configured on all access ports. They spoofed the MAC of the computer that was already white-listed so the router got the IP address that was associated with that MAC. The router then began handing out it's own pool of address to computers we haven't white-listed and allowing unauthorized network access. It was nating it's internal addresses to our IP address tied to the approved MAC.

    How could have this been mitigated? Port security wouldn't have helped since the router had the spoofed MAC of the legit computer. You wouldn't have seen any more MACs come in on the port since it was routing traffic between our access vlan and its own broadcast domain. BPDU guard didn't pop off since it was a router that was plugged in.

    Only way I could think of is to tie our access vlans to AD and authenticate that way??

    Appreciate any input from you guys.

    Are you sure it was a wireless router? If it was a standard user I'd look at it more like someone using Connectify or similar on their laptop. What was the spoofed MAC tied to?
Sign In or Register to comment.