HPE Community
Switches, Hubs, and Modems
1821840 Members
3597 Online
109638 Solutions
New Discussion юеВ

Detect/Block PC with spoofed mac address

 
SOLVED
Go to solution
RAP10
Occasional Contributor

тАО06-23-2010 01:33 AM

тАО06-23-2010 01:33 AM

Detect/Block PC with spoofed mac address

Hi,

I'm using a HP Procurve 2626, Is there a way to detect/block a PC with a spoofed MAC address? We already configured port security on the switch (allowed only 1 mac address on 1 port) but the users only used another PC(Laptop) and used an application to spoof the mac address of the allowed PC's mac address using the same network cable or Switch port. Since it is spoofed they were able to access the network and the port was not disabled. any ideas or suggestions will be great! Thanks!
0 Kudos
5 REPLIES 5
Mohammed Faiz
Honored Contributor

тАО06-23-2010 04:46 AM

тАО06-23-2010 04:46 AM

Solution

Re: Detect/Block PC with spoofed mac address

Your best option is to use port based access control (802.1x).

Check out the manual here for more detail:

http://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap08-PortAccess(8021x).pdf
Matti_Kurkela
Honored Contributor

тАО06-23-2010 06:02 AM

тАО06-23-2010 06:02 AM

Re: Detect/Block PC with spoofed mac address

You've now discovered why a switch-level port security won't stop a knowledgeable and determined user from connecting to the network.

The switch has no way of knowing whether the MAC address it receives from the PC is "spoofed" or "genuine". As far as the switch knows, a MAC address is a MAC address.

The primary purpose of the port security feature is not to act as network access control: rather, its purpose is to make it very difficult or impossible for one host to hijack another hosts's active network connections by ARP spoofing.

If you need to make sure unauthorized systems won't gain access to your network, you'll probably need switches with a port access control feature. As Mohammed already mentioned, the standard for this feature is IEEE 802.1x; it's somewhat similar to the WPA authentication used in wireless networks (WLANs).

Alternatively, you might consider running an encrypted VPN on top of your network, so that all important traffic happens inside the VPN envelope. Even if an unauthorized client manages to plug in to the network, it won't be much use without a successful VPN login.

(Again, this is similar to the approaches used with WLANs in company meeting rooms: guests can access the Internet through an open WLAN, and employees can access internal network by activating an encrypted VPN on top of the WLAN.)

MK
MK
0 Kudos
RAP10
Occasional Contributor

тАО06-23-2010 08:31 PM

тАО06-23-2010 08:31 PM

Re: Detect/Block PC with spoofed mac address

Mohammed,

Thanks for the link you provided. I can sure use this feature. But I'm having problems authenticating the PC on 802.1x using local authentication. I already enable the authentication on the PC but I was not prompted by a login window and was not able to get an IP address. Thanks!
0 Kudos
RAP10
Occasional Contributor

тАО06-24-2010 12:38 AM

тАО06-24-2010 12:38 AM

Re: Detect/Block PC with spoofed mac address

Hi,

I was able to make it work! Thanks for pointing me in the right direction. I'll just have to test this on a active directory envorinment since it will be very time consuming if I will have to authenticate all the users locally. Thanks again!

RAP10
0 Kudos
Mohammed Faiz
Honored Contributor

тАО06-24-2010 12:46 AM

тАО06-24-2010 12:46 AM

Re: Detect/Block PC with spoofed mac address

Glad to see you got it working. I've only ever used it in a test environment but it looked quite useful.
I just need to figure out if it had any major disadvantages over using a full NAC solution.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.