Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15424
Views
65
Helpful
19
Replies

ISE profiling and MAC address spoofing mitigation

Go to solution
wiong
Cisco Employee
Cisco Employee

‎02-19-2019 06:26 PM

I am googling around trying to confirm on ISE profiling and mitigation against MAC address spoofing but I have not find a confirmed answer.

 

When a device connects, get profiled and identified what it is, the ISE screen will show up the endpoint information including what is this endpoint (Cisco IP phone, Ricoh printer, etc). Even if the device is subsequently disconnected, I can still see it on the ISE screen although it shows that it is disconnected. If I now plug a device into the network and spoofed that endpoint MAC address, will ISE re-profile again or just let the device in since it has been profiled previously and still in the ISE DB with the MAC address intact?

 

I read somewhere in ISE document that when a device has been profiled (which may takes several seconds initially), ISE will cache the information so that subsequently, when the endpoint reconnects again, the network connectivity establishment is faster since it does not need to re-profile again? If this is the case, anyone can easily get into the network by just spoofing the MAC address.

 

 

2 people had this problem
0 Helpful
19 Replies 19

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to MS-JK

‎11-14-2019 03:59 PM

Are you connected behind an unmanaged switch or hub so that the Cisco switch isn't detecting the link state change?  I assume that is what you are doing since any link state change would force a new authentication.  If you are doing this behind some device to keep the link state up, then one option to combat that is to use reauthentication.  If someone really wants to get in, they will.  They can spoof the MAC and intentionally not send any new profiling data or anything that could trigger profiling.  In that case, your only option to mitigate it is with reauthentication every so often.  The Department of Defense (Network STIG) requires a reauthentication timeout of every hour (60 minutes) for that reason.  Defense needs to be layered.  Always assume someone can break in if they want.  Your goal for security is to make it harder and harder by having multiple layers that need to be broken before anything of value can be obtained.  Increase the window of time that would be required for an attacker to get anything so you increase the odds of someone catching them.

0 Helpful

Go to solution
MS-JK
Level 1
Level 1
In response to Colby LeMaire

‎11-14-2019 04:52 PM

You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine.

 

With that said 2 tests were done. ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer -  and again without any Anomalous Behavior detected.

 

jk

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to MS-JK

‎11-15-2019 07:24 AM

Hi do you have the authorization policy enabled to block the devices when the behavior is detected?

0 Helpful

Go to solution
MS-JK
Level 1
Level 1
In response to BrianPersaud

‎11-20-2019 01:53 PM

There is nothing to block - it didn't even DETECT it. Right now - this is a serious flaw with ISE. Anyone can become a dot1x authenticated user with machine cert and AD validations with a simple 10 second MAC spoof? ISE didn't even see it on host change, no NMAP is re-initiated, no re-profile is initiated. Scary - why would we recommend ISE to anyone if this holds true? I'm hoping I'm wrong.

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to MS-JK

‎02-29-2020 04:00 PM - edited ‎02-29-2020 04:05 PM

In your first scenario, "You bring up a good point. So the good guy was connecting to SWITCH1 (managed) and the bad guy was connecting to SWITCH2 (managed) different port - direct connection. Which is even more alarming. ISE detected the new machine (simple linux machine with spoofed MAC and different hostname) and gave it same access as the connected good guy's machine."

How is first guy connecting through dot1x or MAB . If it connecting using dot1x and then bad guy connecting to switch 2 may spoof MAC address but he will not get access as he does not have dot1x crendetials (Cert or user/password).

 

In second scenario "ONE printer (MAB) and one WIN10 (Dot1x). The printer - port did bounce as its directly connecting but spoofing machine (even with the different hostname) assumed same ISE auth/author profile of the previously connected printer - and again without any Anomalous Behavior detected."

 

It does work as long as both type of endpoints getting correctly profiled. Win10 at should have got profiled as at least as 'workstation' and printer should have profiled as 'printer' then only ISE can detect and enforce ABD.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200973-configure-anomalous-endpoint-detection-a.html

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents