Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Anti-Mac Spoofing

Created: 09 Aug 2010 • Updated: 14 Sep 2010 | 3 comments
This issue has been solved. See solution.

Currently, we have encountered a non-standard MAC address which we believe that it causes MAC address spoofing. All workstation were already checked if there are malware and virus. We have also MAC filtering using sticky command in CISCO. This will block all unknown MAC address in the said VLAN. We decided to disable the MAC filtering since we receive many calls for unblocking ports. We have discovered that Symantec has anti-MAC spoofing. We enabled it to figure out who is the source of MAC spoofing. When we enabled it, many workstations experienced disconnection to network. As workaround, we release and renew the IP address o restore network connection but proble still occurs. Any help? I also found events in the Event Viewer. The said event occured when I enabled anti-MAC spoofing. Please see details below.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date:  8/9/2010
Time:  3:01:39 PM
User:  NT AUTHORITY\NETWORK SERVICE
Computer: HO09H76
Description:
IPSec Services:  IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Comments 3 CommentsJump to latest comment

sandeep_sali's picture

When you Enable anti-MAC spoofing in Symantec Endpoint Protection the following happens.

Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log. 

Media access control (MAC) addresses are hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B.

Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All client rejects all unsolicited ARP RESPOND messages. 

This option is disabled by default.

Thanks & Regards

Sandeep C Sali

SOLUTION
sandeep_sali's picture

The other way that I can think of is to set a configuration on a switch usually called "port security" where the port is told to only accept traffic from a specific MAC address.

Thanks & Regards

Sandeep C Sali

Aniket Amdekar's picture

Hi,

As a test, can you disable the Anti-Mac spoofing feature.

Do an IPconfig -renew

Enable Anti-mac scpoofing

This will make sure that the computer satisfies the conditions mentioned above

"Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.
"