Turn on MAC address spoofing protection by IoT fingerprinting

In this topic, you will learn how to turn on and use MAC address spoofing protection in Portnox™ Cloud.

MAC spoofing is a malicious attack method in which the attacker modifies an Ethernet interface’s MAC address on their device to correspond with another device’s MAC address. If certain devices on your network are authorized based only on their MAC addresses, the attacker can unplug the approved device from the network and connect their own device, gaining the same level of network access as the original device.

Portnox Cloud MAC-based authentication detects such attacks and can either raise an alert or disconnect the rogue device. Portnox Cloud functionality called IoT fingerprinting records the device DHCP fingerprint, which is unique, and then checks if the device has the same fingerprinting when connecting again.

For IoT fingerprinting to work, the device must use DHCP to request an IP address, and you must have a DHCP forwarder on the same subnet. When the device connects to the network, it broadcasts its DHCP request in the subnet. The DHCP forwarder picks up the broadcast and forwards it to the Portnox Cloud IoT fingerprinting servers.

Turn on IoT fingerprinting

In this section, you will turn on the IoT fingerprinting functionality in Portnox Cloud™, which is necessary for MAC spoofing protection to work.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Agentless IoT Device Fingerprinting option.
In the right-hand side pane, under the Agentless IoT Device Fingerprinting heading, click on the Edit link.
Click on the Enable Agentless IoT Device Fingerprinting checkbox to activate it, and then click on the Save button to save the configuration.

Turn on MAC spoofing protection

In this section, you will turn on the MAC spoofing protection for a specific Portnox Cloud™ MAC-based account.

In the Cloud portal top menu, click on the Devices option.
Click on the row that represents a MAC-based account and then click on the Edit button above to edit the account settings.

To learn how to create a MAC-based account, read the following topic: Create a MAC-based account.
On the account settings screen, scroll down to the IoT Device Trust section, activate the Enable IoT Device Trust checkbox, and then click on the Save account button in the top-right corner of the screen.

The IoT Device Trust (MAC spoofing protection) functionality can function in one of two different modes:
- Send a warning alert if this account is suspected of being the victim of MAC spoofing. Devices under this account will still be allowed access to the corporate network.
- Block devices from accessing the corporate network and send an alert if this account is the victim of MAC spoofing.
In this example, we’re using alerts only. To use the second option and block devices from accessing the network, you need to enable the RADIUS Change of Authorization feature by following the steps in this topic: Enable the RADIUS Change of Authorization feature.

Set up the DHCP forwarder

In this section, we will set up a DHCP forwarder to forward DHCP broadcasts to the Portnox™ Cloud IoT fingerprinting servers.

Note:

If you are worried that forwarding DHCP packets without encryption may be a security risk, note that a DHCP request contains no sensitive information. DHCP requests are broadcast traffic that goes to every endpoint on the network segment. This is true of any network that client accesses, including any hotspots. The only possible identifying information would be the MAC address, but MAC addresses are not truly unique and cannot be used to identify the user or organization. Therefore, DHCP forwarding is not a security risk.

You have two options to set up a DHCP forwarder:

If you have a Layer 3 device such as a router and this device has DHCP forwarder functionality, you can set this device to forward DHCP broadcasts to the Cloud IoT fingerprinting servers. The device must be connected to the same subnet as the devices to be fingerprinted. If you choose this option, follow the device manufacturer instructions to set up DHCP forwarding and forward all DHCP requests to one or both of the following IP addresses on port 67:
- 20.241.131.45 if you use the United States RADIUS server
- 20.4.128.229 if you use the Europe RADIUS server
Note:
The device that acts as a DHCP forwarder cannot act as a DHCP server at the same time.
If you do not have a Layer 3 device that can be used for DHCP forwarding, you can set up a physical or virtual machine on the same subnet to act as a forwarder. Portnox provides a Docker container with all the necessary functionality.

You can also use the Portnox DHCP forwarder if your firewall blocks port 67. The forwarder communicates with the Portnox Cloud servers on port 167 instead.

In this example, we show you how to configure the Portnox DHCP forwarder Docker container on an Ubuntu virtual machine in Oracle VirtualBox.

Install Docker on the virtual machine, if not yet installed.
```
$ sudo apt install docker.io
```
Important:
While the Ubuntu apt repository includes Docker, for production machines Docker recommends using its own apt repository instead. This gives you access to newer versions and additional packages. You can find the relevant instructions in the official Docker documentation.

Important:
If Docker is already installed, skip this step. If you don’t have a physical or virtual machine to install Docker, you can get a third-party Linux image. For example, you can download the latest Ubuntu image from the Linux VM Images project and import it into your hypervisor.
Pull the Portnox DHCP forwarder Docker image.
```
$ sudo docker pull portnox/portnox-dhcp
```
Run the Portnox DHCP forwarder.
```
sudo docker run -d --read-only --net=host \
  --name portnox-dhcp-relay portnox/portnox-dhcp:latest \
  -i eth0 -r 20.4.128.229:167
```
Note:
In this example, the forwarder is sending the data to the European Portnox IoT fingerprinting server. Use the following IP address and port to forward to the United States server instead: 20.241.131.45:167.
Optional: Monitor the Portnox DHCP forwarder logs.
```
$ sudo docker logs portnox-dhcp-relay -f
```
Optional: To automatically update the Portnox DHCP forwarded to the newest version as soon as it is available, install the portnox-autoupdate Docker container, as instructed in the following topic: Automatic updates for all Docker containers.

Test the forwarder connection

In this section, you will use the Packet Sender application to test the connection between the forwarder and Portnox Cloud IoT fingerprinting servers.

To make sure that your forwarder can connect to the Portnox Cloud servers, or to troubleshoot IoT fingerprinting problems, we recommend that you test if the UDP packets are reaching their destination. For this, we recommend that you use the open-source Packet Sender application.

In this example, we will install the Packet Sender application on the Ubuntu virtual machine in Oracle VirtualBox. This is the same machine that is running the DHCP forwarder.

Install Packet Sender.

$ sudo apt install snapd
$ sudo snap install packetsender

Run Packet Sender.
```
$ packetsender
```
Send an echo UDP packet to the Portnox Cloud IoT fingerprinting server.
1. In the ASCII field, type echo.
2. In the Address field, enter the Portnox Cloud IP that you want to test (20.241.131.45 or 20.4.128.229).
3. In the Port field, enter 167.
  Note:
  You can also use Packet Sender to test the connection to port 67, if you want to use a physical device as your DHCP forwarder.
4. Select UDP as the packet type.
5. Click on the Send button.
6. Observe the log section below.
  You should see two entries: one will be the packet that you sent, and the other will be the echo reply. If you only see one entry, port 167 is probably blocked on your firewall.

Test the MAC spoofing protection

In this section, you will attempt MAC spoofing to test if Portnox MAC spoofing protection is working correctly.

To test MAC spoofing protection, you need two devices and you need to know how to change the MAC address of the second device to mimic the MAC address of the first device. In this example, we used a macOS laptop as the original device, and a Windows laptop as the spoofed device.

Find the MAC address of the Ethernet interface of the first device.
In this example, we used a macOS device, and checked the MAC address by using System Preferences: System Preferences > Network > Ethernet adapter > Advanced > Hardware

The discovered MAC address is: 24:1B:7A:F9:5B:DC.
Add the MAC address of the Ethernet interface to the MAC-based account.
1. In the Cloud portal top menu, click on the Devices option.
2. Click on the row that represents a MAC-based account and then click on the Edit button above to edit the account settings.
3. In the Allowed MAC addresses section, click on the Add new MAC address link.
4. In the CREATE NEW MAC ADDRESS window, enter the MAC address of the test device with a description that lets you easily identify and remove it later. Then, click on the Save button.
  For example, add the MAC address 24:1B:7A:F9:5B:DC with a description: MAC spoofing test.
5. Click on the Save account button in the top-right corner of the screen.
Connect the first device to the switch and check for an alert on the Portnox Cloud Alerts screen.
Change the MAC address of the Ethernet adapter of the second device.
In this example, we used a Windows laptop, and changed the MAC address to the MAC address of the first device (24:1B:7A:F9:5B:DC) by doing the following:
1. In the search bar, start typing network connections and select the View network connections option above.
2. Right-click on the icon that represents the Ethernet interface and select the Properties option from the context menu.
3. In the Ethernet Properties window, click on the Configure button.
4. In the Ethernet adapter Properties window, go to the Advanced tab.
5. In the Property list, find the Locally Administered Address entry, click on it, and in the Value field on the right-hand side, enter the MAC address to spoof.
  For example: 241B7AF95BDC
Connect the spoofed device to the switch and check for an alert on the Portnox Cloud Alerts screen.