Endpoint Protection

 View Only

  • 1.  Anti-Mac Spoofing

    Posted Aug 09, 2010 04:12 AM

    Currently, we have encountered a non-standard MAC address which we believe that it causes MAC address spoofing. All workstation were already checked if there are malware and virus. We have also MAC filtering using sticky command in CISCO. This will block all unknown MAC address in the said VLAN. We decided to disable the MAC filtering since we receive many calls for unblocking ports. We have discovered that Symantec has anti-MAC spoofing. We enabled it to figure out who is the source of MAC spoofing. When we enabled it, many workstations experienced disconnection to network. As workaround, we release and renew the IP address o restore network connection but proble still occurs. Any help? I also found events in the Event Viewer. The said event occured when I enabled anti-MAC spoofing. Please see details below.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 615
    Date:  8/9/2010
    Time:  3:01:39 PM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: HO09H76
    Description:
    IPSec Services:  IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

     
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


  • 2.  RE: Anti-Mac Spoofing
    Best Answer

    Posted Aug 09, 2010 06:20 AM
    When you Enable anti-MAC spoofing in Symantec Endpoint Protection the following happens.

    Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log. 

    Media access control (MAC) addresses are hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B.

    Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All client rejects all unsolicited ARP RESPOND messages. 

    This option is disabled by default.


  • 3.  RE: Anti-Mac Spoofing

    Posted Aug 09, 2010 06:25 AM
    The other way that I can think of is to set a configuration on a switch usually called "port security" where the port is told to only accept traffic from a specific MAC address.


  • 4.  RE: Anti-Mac Spoofing

    Posted Aug 09, 2010 12:10 PM
    Hi,

    As a test, can you disable the Anti-Mac spoofing feature.

    Do an IPconfig -renew

    Enable Anti-mac scpoofing

    This will make sure that the computer satisfies the conditions mentioned above

    "Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.
    "