How to prevent MAC spoofing?

Question

I want to define in my Cisco switch a whitelist of allowed MAC, but MAC spoofing could allow any host to connect. How can I prevent MAC spoofing?

What marco said. Many embedded systems don't even have a MAC address at all. They *have* to spoof. — phemmer, Oct 22 '13 at 14:00
Best you can hope for is having the switch lock down port/MAC pairs when it sees them for the first time, but that's a terrible idea for a lot of reasons. — Shadur, Oct 22 '13 at 14:33

MDMarra · Answer 1 · 2013-10-22T15:03:33.043

10

You don't prevent MAC spoofing, since it's entirely client-side. This is the reason that no one that really cares about security is using MAC whitelisting or blacklisting.

If you care about controlling what devices connect to your network, you should be using 802.1x with device certificates issued by your own internal CA that you control, or with some form on NAC like Cisco ISE or Microsoft NAP.

edited Oct 22 '13 at 15:03

answered Oct 22 '13 at 14:49

MDMarra

100,734
32
197
329

Indeed. security by futzing with MAC addresses is *at best* a minor inconvenience to anyone with even slight competence, and these days only a slight speedbump to newbie hackers who have heard of Google before. – Rob Moir Oct 22 '13 at 14:57

score 3 · Answer 2 · answered Oct 22 '13 at 14:56

3

You cannot prevent MAC spoofing. The problem you're trying to solve is authentication. And the MAC address is simply not the right way to provide authentication since it can be spoofed very easily. There are even legit reasons to spoof a MAC address.

If you want to restrict which computers can connect, you have to use better methods than relying on the MAC address, preferably methods that levereage some sort of encryption.

answered Oct 22 '13 at 14:56

Marco

1,509
11
15

Would Kerberos and LDAP be an appropriate authentication solution in this case? (I'm assuming Linux.) – MountainX Feb 02 '18 at 06:30

score -1 · Answer 3 · answered Oct 22 '13 at 15:35

-1

Can't you somehow prevent it via switchport port-security?

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html

You're not going to prevent an host to spoof its mac, but its spoofed traffic won't pass the access port.

answered Oct 22 '13 at 15:35

user1293137

242
1
3

1

You misunderstand - port-security limits the MAC address(es) that can talk over a port, but it has no way of knowing whether a device has spoofed that address or not. – Dan Oct 22 '13 at 15:49
You're right. But if MAC is spoofed, is not the one registered on that port and then it's traffic is "locked". – user1293137 Oct 22 '13 at 19:10
So? We know that and the OP knows that - but port security does nothing to prevent MAC spoofing and, indeed, can be trivially bypassed using it. – Dan Oct 22 '13 at 21:12
Mmh...now i got it! Sorry i really misunderstood at the beginning. – user1293137 Oct 23 '13 at 14:25

How to prevent MAC spoofing?

3 Answers3