cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5288
Views
0
Helpful
9
Replies

prevent hub on a 802.1x switch port

vanbon
Level 1
Level 1

Hi,

A 802.1x port on a switch will grant a hub access if there is a 802.1x PC connected to the hub.

Non-802.1x pc's can access the 802.1x network if they connect to the hub and spoof the mac-address of the 802.1x PC (switch port uses single-host mode).

Does anyone know how we can prevent this access ?

Thanks,

Gerard van Bon

9 Replies 9

jafrazie
Cisco Employee
Cisco Employee

From a security perspective, the first option should be to remove the hub. This is outside of the scope of 802.1x.

Recommend running things like Dynamic ARP Inspection on your switch also.

Hope this helps.

Additionally, you can use port security to limit the number of MAC addresses that are allowed on the switchport.

Port security will not help.

Spoofing of the mac address will result in only one mac address on the switch port.

I think Dynamic ARP Inspection will make it harder to spoof the mac address. But this is not implemented on most access switches.

Regards, Gerard

Very true. I must have been in wonderland when I half way thought that one through.

I am not sure that dynamic ARP inspection would be helpful in this situation or not. If the ARP tables are built within the switch based upon DHCP snooping, the second host with the same MAC address would have to have a statically entered IP address in order to function. If it tried to obtain one via DHCP, the DHCP server would see that it had issued a specific IP address to that MAC address and would reissue the same IP address to the second host. I guess the second PC could do a NACK to the DHCPOFFER. In this case you could watch you DHCP address allocation for the particular subnet and if you have more addresses issued that you have ports, that could be an indication. Of course there are a few issues with that. Mainly, it would require a fairly static environment to do something like that.

Another problem, and this would be much easier to do from a PC standpoint, would be to setup the 802.1x authenticated PC as a NAT device and connect the second or more devices behind it. (Windows makes this pretty easy now.) If a SOHO router (ie, Linksys type device) were to support 802.1x, it could be plugged in and all devices placed behind it would be able to access the network based upon the NAT functions of the SOHO router. A user smart enough to spoof a MAC address to bypass network security will likely be aware of these methods as well.

Steve

I will try to test the Dynamic ARP inspection. Maybe it is a solution. If the spoofing PC tries to use DHCP he will get the same IP address as the original PC. Then both PC’s will have trouble with TCP connections. We have tried that.

PC’s with NAT and SOHO routers could also be a problem. But we have secured the network with 802.1x machine authentication. Only PC’s that are member of the Active Directory domain will be authenticated with 802.1x. These PC’s are installed with an image that cannot be altered by users. So I do not think they will be able to turn the PC into a NAT device. SOHO routers can not authenticate because they are not a valid domain member.

I think we can say that 802.1x in a wired environment does make it harder to connect illegal equipment to the network. But it will not yet stop a hacker.

Gerard

You can eny the use of a SOHO router / NAT by reducing the TTL such that the addition of another router will cause the TTL to expire.

You can take it a step further by running everything through a proxy / L4-7 inspection (ala Packateer) ...

It doesn't help the OP's problem directly, but if you went to L3 switching at the workgroup, used /30 masks per port (with / without 802.1x), and reduced the TTL ... you've pretty much locked the system down: one ip valid IP address per port, no additional NAT/Routers/proxies allowed (TTL expires), and content inspected to remove the Kazaa / Bitorent / p2p streamers .....

It can be done, it's usually just an issue of admin time and expense. Much of it can be simplified if you can (or know someone that can) do a little scripting ...

FWIW

Scott

I scenario that you may be refering to would be this:

after-hours a hacker unplugs an authorized pc from a switch port and installs a hub reconnects the authorized pc and then his own unauthorized pc. By turning on the authorized pc with machine only authentication, the port will authenticate without logging on and then the hacker could spoof the MAC address of the authorized pc.

One way to prevent this would be to require both machine authentication and user authentication.

You could also require 802.1x reathenication, but I don't think this would stop the issue.

Mark

For this scenario, there is nothing that can be done to deny this type of access. The situation is outside of the scope of 802.1x.

One way to attempt to mitigate this would be to build network policy around "device" or "machine" level access. This way, the attack isn't stopped. The attacker in this example has attained unauthorized access, but only to what machines themselves have access to.

Hope this helps.

To prevent hub from being connected to an 802.1x port, add the command "authentication host-mode multi-domain" to the switch port. This command will only allow a single device in the data VLAN and a single device in the voice domain (voice VLAN).