Access Layer Security (Part 1) – MAC Auth & Device Profiling

I see people doing all sorts of weird and wonderful things to ‘secure’ the Access Layer of their networks.  The vast majority of the methods available can be circumvented to some degree and so with Access Layer security, as with all things Security, defence in depth is your friend.

I’m writing this article to raise awareness of the limitations of some methods and to provide guidance about how to improve your own security.  Do no harm.

MAC Addresses

A MAC Address is an interface’s physical address; it is a unique(ish) Layer2 address used on Ethernet networks.  There are several things different switches can do when it comes to MAC Address based security;

  • Only allow the first MAC address the switch sees on the interface to have network access.
  • Only authenticate the first MAC address, then let anything else come along afterwards
  • Only allow specific MAC address(es) on the interface, either configured locally on the switch or on a centralised RADIUS Server
  • Only allow a certain number of MAC addresses on the interface, and when the number is reached, no more are allowed.

The limitation of all of these methods is the MAC address.  It is trivial to change a MAC address on most attacking devices, so if you are lucky enough to find a ‘valid’ MAC address (such as by disconnecting a known working device), you can spoof the MAC address on the attacking machine and away you go.  If you can’t find a valid MAC address in your physical vicinity, you may be able to listen for frames on the network instead, without even being authenticated.

Spoofing the MAC address of a device that is connected will cause network problems if you don’t remove it, although if you are attacking a large network that has different switches providing different L3 domains, you may be able to get away with re-using the MAC address at a different location, providing L3 for that site is being run by a different switch.

If you aren’t lucky enough to find or sniff for a valid MAC Address, then I’m afraid it gets much harder.  There are 2^48 different MAC Address combinations (281,474,976,710,656!) so the odds of being able to blindly guess a MAC Address are slim.  So the moral is, if you are using MAC Address based security methods and you actually have Clients connected to the network, the information (MAC Address) an attacker can glean from the Client is the weak point.

Device Profiling

Device Profiling looks at a number of attributes about a device to determine its nature, then access is granted according to a Security Policy.  For example, ‘if a device looks and smells like a Mitel handset, put it in the voice VLAN‘.  People use profiling because they sometimes have a network they want to secure, but have a lot of devices which they don’t have the time, inclination, or ability, to authenticate Clients individually.  When I say ‘a device looks and smells like’, we’re using information transmitted over the network to help determine what a device is.  The attributes a profiler can analyse to determine a device’s nature vary by manufacturer, but consider attributes gleaned from MAC OUI, DHCP, CDP/LLDP, SNMP, HTTP Header, NMAP Scans & Netflow to all be possible sources of information.  Much like MAC Address authentication, these are all spoofable values, so if you try hard enough, you will be able to convince a Profiler that your attacking computer is a Printer, a Phone, a Door Entry Control System, whatever… and you will get access according to the type of device you’re impersonating.

If you are serious about using Profiling, the more attributes you can use to determine the nature of the device, the harder it is for somebody to impersonate it.  For example, just using a MAC OUI is easy to defeat.  If however, you add in some analysis of a DHCP Request, an LLDP/CDP Packet, an SNMP Probe, and an NMAP Scan, it will get harder and harder for an attacker to gain access because they will have to spend increasing amounts of time and effort working out what to spoof and how.  This does not mean you have a ‘secure’ network in the true sense of the word, but at least you will be preventing accidental or opportunistic connections and, as far as I can tell, comprehensive profiler spoofing is not yet in the realms of a simple tool you can download, so you’ll likely keep out low level nuisance hackers, but a determined foe will still be able to get in.

MAC Address & Device Profiling Combined

It’s possible to use both of these security methods in parallel.  In this case, you’re using a known MAC Address and looking at the nature of the device before granting access.  Unsurprisingly, this is harder (or rather, less easy) to defeat than the individual methods alone, but nevertheless, all of the attributes are sent in plain text and with enough research and patience, a determined attacker will be able to spoof their way in to a network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s