Each networked device or network interface is assigned a unique Media Access Control address (MAC). MAC address spoofing (or MAC spoofing) is a technique of "faking" this address. Although some legitimate cases exist for doing this, it is also used to circumvent existing security mechanisms, impersonate legitimate devices (end stations or even routers) or to hide an attacker. To combat this technique and protect your network, both detection and protection is required.

Detection of MAC spoofing
MAC addresses are only used within a single broadcast domain (usually a VLAN or subnet). Once a network packet has left this broadcast domain, information about the MAC address is lost and is replaced by the IP address of the sender. In order to detect and capture the illegitimate use of a MAC address, it is important to track the MAC address across all areas of the network, since the attacker or victim may move between broadcast domains. Detection requires:

  • network-wide monitoring of access
  • real-time analysis of devices accessing various networks
  • ability to detect type of device and to detect changes in type of device accessing
  • retention of device-specific information

Information about a device is critical in determining which device is the victim and which is the attacker. There is no guarantee that the victim and attacker will access the network at the same time, so stored profile information (i.e., the machine was a Windows device) must be compared to new information that may be gathered (this MAC address is now a linux device).

Preventing MAC spoofing
In order to take action on the detection of MAC spoofing, the solution also needs to be able to restrict access. The ability to shut down access to the impersonating device (attacker), preferably without shutting down access to the victim device, is a critical part of the solution.

Using CGX to detect and prevent MAC spoofing
As an integral part of an access control system, the CGX solution monitors device access requests across wired and wireless networks. Besides capturing the MAC addresses of each device, it also collects profiling information such as operating system, device platform, location, time and even user name if possible. Based on this collected information, the CGX can then assign the appropriate access rights to the device, from providing full access, limited access, or even restricting access to effectively "quarantining" devices.