Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Detect/Block PC with spoofed mac address

SOLVED
Go to solution
RAP10
Occasional Contributor

Detect/Block PC with spoofed mac address

Hi,

I'm using a HP Procurve 2626, Is there a way to detect/block a PC with a spoofed MAC address? We already configured port security on the switch (allowed only 1 mac address on 1 port) but the users only used another PC(Laptop) and used an application to spoof the mac address of the allowed PC's mac address using the same network cable or Switch port. Since it is spoofed they were able to access the network and the port was not disabled. any ideas or suggestions will be great! Thanks!
5 REPLIES
Mohammed Faiz
Honored Contributor
Solution

Re: Detect/Block PC with spoofed mac address

Your best option is to use port based access control (802.1x).

Check out the manual here for more detail:

http://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap08-PortAccess(8021x).pdf
Matti_Kurkela
Honored Contributor

Re: Detect/Block PC with spoofed mac address

You've now discovered why a switch-level port security won't stop a knowledgeable and determined user from connecting to the network.

The switch has no way of knowing whether the MAC address it receives from the PC is "spoofed" or "genuine". As far as the switch knows, a MAC address is a MAC address.

The primary purpose of the port security feature is not to act as network access control: rather, its purpose is to make it very difficult or impossible for one host to hijack another hosts's active network connections by ARP spoofing.

If you need to make sure unauthorized systems won't gain access to your network, you'll probably need switches with a port access control feature. As Mohammed already mentioned, the standard for this feature is IEEE 802.1x; it's somewhat similar to the WPA authentication used in wireless networks (WLANs).

Alternatively, you might consider running an encrypted VPN on top of your network, so that all important traffic happens inside the VPN envelope. Even if an unauthorized client manages to plug in to the network, it won't be much use without a successful VPN login.

(Again, this is similar to the approaches used with WLANs in company meeting rooms: guests can access the Internet through an open WLAN, and employees can access internal network by activating an encrypted VPN on top of the WLAN.)

MK
MK
RAP10
Occasional Contributor

Re: Detect/Block PC with spoofed mac address

Mohammed,

Thanks for the link you provided. I can sure use this feature. But I'm having problems authenticating the PC on 802.1x using local authentication. I already enable the authentication on the PC but I was not prompted by a login window and was not able to get an IP address. Thanks!
RAP10
Occasional Contributor

Re: Detect/Block PC with spoofed mac address

Hi,

I was able to make it work! Thanks for pointing me in the right direction. I'll just have to test this on a active directory envorinment since it will be very time consuming if I will have to authenticate all the users locally. Thanks again!

RAP10
Mohammed Faiz
Honored Contributor

Re: Detect/Block PC with spoofed mac address

Glad to see you got it working. I've only ever used it in a test environment but it looked quite useful.
I just need to figure out if it had any major disadvantages over using a full NAC solution.