How to prevent MAC spoofing?

networking mac-address cisco
20,674

Solution 1

You don't prevent MAC spoofing, since it's entirely client-side. This is the reason that no one that really cares about security is using MAC whitelisting or blacklisting.

If you care about controlling what devices connect to your network, you should be using 802.1x with device certificates issued by your own internal CA that you control, or with some form on NAC like Cisco ISE or Microsoft NAP.

Solution 2

You cannot prevent MAC spoofing. The problem you're trying to solve is authentication. And the MAC address is simply not the right way to provide authentication since it can be spoofed very easily. There are even legit reasons to spoof a MAC address.

If you want to restrict which computers can connect, you have to use better methods than relying on the MAC address, preferably methods that levereage some sort of encryption.

Share:
20,674

Related videos on Youtube

Abid
Author by

Abid

Updated on September 18, 2022

Comments

  • Abid
    Abid over 1 year

    I want to define in my Cisco switch a whitelist of allowed MAC, but MAC spoofing could allow any host to connect. How can I prevent MAC spoofing?

    • phemmer
      phemmer over 10 years
      What marco said. Many embedded systems don't even have a MAC address at all. They have to spoof.
    • Shadur
      Shadur over 10 years
      Best you can hope for is having the switch lock down port/MAC pairs when it sees them for the first time, but that's a terrible idea for a lot of reasons.
  • Rob Moir
    Rob Moir over 10 years
    Indeed. security by futzing with MAC addresses is at best a minor inconvenience to anyone with even slight competence, and these days only a slight speedbump to newbie hackers who have heard of Google before.
  • Dan
    Dan over 10 years
    You misunderstand - port-security limits the MAC address(es) that can talk over a port, but it has no way of knowing whether a device has spoofed that address or not.
  • ANIS ELOSTA
    ANIS ELOSTA over 10 years
    You're right. But if MAC is spoofed, is not the one registered on that port and then it's traffic is "locked".
  • Dan
    Dan over 10 years
    So? We know that and the OP knows that - but port security does nothing to prevent MAC spoofing and, indeed, can be trivially bypassed using it.
  • ANIS ELOSTA
    ANIS ELOSTA over 10 years
    Mmh...now i got it! Sorry i really misunderstood at the beginning.
  • Manos Vajasan
    Manos Vajasan about 6 years
    Would Kerberos and LDAP be an appropriate authentication solution in this case? (I'm assuming Linux.)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring a DHCP server with VLAN on a switch
Change MAC-Address in iOS5
Troubles installing Cisco Packet Tracer 7.1 on Ubuntu 17.10
New Cert for company VPN, now openconnect does not work
OpenConnect: Force all connections throught VPN (if IPv6 unavailable)
Packet Tracer Segmentation Fault Ubuntu 18.04
Configuring Cisco VPN Anyconnect to use VPN and the local network simultaneously
I can't run Cisco packet tracer 7.1 on Ubuntu
Cannot connect to the internet after installing Cisco AnyConnect VPN Client
Cisco VPN not working