In all but the most secure networks, there is some level of MAC Address Bypass or aka MAB. MAB does a great job protecting against “incidental” access to the network. Unfortunately, it doesn’t do much to stop an actual attacker. Especially when more advanced features such as Anomalous Endpoint Detection and Enforcement are not turned on. The fact is, MAC Address Spoofing is simple to implement and will work on most ISE secured networks when additional steps are not taken to prevent it.
In this article, we will go through a few ways to make a MAC Address Spoofing attack more difficult and limit exposure if one is successful.
The Use Case is a simple ISE deployment that will use MAB for IoT and other endpoints that do not support 802.1x supplicants. We must allow the MAB endpoints on the network, but also do everything possible to make a spoofing attack more difficult.
Here we have a simple topology of one single workstation and a CSR Router used to simulate the attack. Of course, in the real world the workstation would use a supplicant and authenticate via 802.1x. Here, we can think of the workstation as a printer, camera, or some other endpoint that does not support a supplicant.
To start, we created a permit rule pointing to a built-in Identity Group (Workstation) and put the MAC Address of the Workstation into the Workstation Identity Group. The workstation authenticates with MAB, and all is well.
Now comes the attack. The bad guy is going to unplug my workstation and plug in his router.
Initially this will fail because we do not have a MAB rule for the router:
Now will do our spoofing attack:
Sure enough, we have full access:
MAC Spoofing Mitigation
The first step is to make sure you have profiling working properly. When possible, this should include DHCP, even if you would prefer a static address on certain endpoint types, set them to DHCP and configure DHCP reservations. It is critical to receive as much profiling data as possible.
The second step is to limit the access the authenticated endpoint receives. This is the most overlooked item in virtually every ISE deployment I have ever seen. If a printer only needs access to one IP and one port, that is all it should have access to. Use a product like Secure Network Analytics, formerly Stealthwatch, to monitor endpoints and “feed” ISE or refer to the endpoint documentation to determine what exactly must be allowed. Even if the bad guy does get around your authentication security, their ability to cause damage is severely restricted if you have a good authorization policy.
The third step is an ISE technology called Anomalous Endpoint Detection and Enforcement. This simple technology says, “Once I profile an endpoint, if that profile changes, regardless of MAC Address, I’m going to do something about it”. The “something about it” can be whatever you want it to be. In most cases, you would configure ISE to drop the new endpoint, but you can also limit its access, if you choose.
Anomalous Endpoint Detection and Enforcement Configuration
To begin, the technology must be turned on:
Administration ---> Settings ---> Profiling
At this point, ISE will look for Profile changes, but will not respond to them.
Next, you can create a rule telling ISE what to do when an Anomalous Endpoint is detected:
Here we are telling ISE to Deny any endpoint that has the Anomalous Behavior attribute set to “True”.
Let’s test it:
So far so good. Now the attack again:
Nice! Here is the detail as to why the endpoint was denied access:
Of course, we are still not as secure as 802.1x, but we made the bad guy’s life far more difficult. Now the attacker has three steps to beat us, instead of one:
The attacker must know the MAC Address of the endpoint to spoof.
The attacker must know exactly how ISE profiled the endpoint.
The attacker must make their workstation look exactly like the endpoint they are trying to spoof. This is not easy!
So how can CDA help you improve network security?
Members of our team are Cisco Certified Internetwork Expert (CCIE) certified and can help at any stage of the process: proof of concept, design, architecture, implementation, testing, & issue resolution. Want to learn more?
MAC Address Spoofing Defense with ISE