The threat behind MAC spoofing

When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.

One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.

Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.

Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?

But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.

Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.

The threat landscape

Here are some of the most common adversaries when it comes to MAC spoofing:

• The employee – a disgruntled current or former employee
• The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
• The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization

And here are the most common attack surfaces:

• Wifi
• Wired, ethernet switches

One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.

As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.

Adversaries in-depth

Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.

With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.

The employee

Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.

Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.

At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.

The guest

A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.

The hacker

A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.

This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.

For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.

In conclusion

For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.

You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.

The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.

Everyday Loans is the UK’s leading independent loan lender, operating dozens of branches across the country and boasting a personal, hands-on approach to lending, uncommon in today’s digitally anonymous financial services industry.

Today, personal lending in the UK has grown to become an industry approaching 24 billion GBP, with recent acceleration due to widespread financial uncertainty and hardship in the wake of the COVID-19 pandemic.

The company’s IT department, led by Head of IT Tony Sheehan, experienced the tangible impact of this market growth as more and more customers walked through the doors of Everyday Loans’ many branches, and as the company increased its employee headcount in response to demand.

With more guests and customers on-site as well as a growing workforce, Sheehan and his team began to assess potential cybersecurity vulnerabilities – beginning with the corporate network.

Sheehan describes the company’s initial network security vulnerabilities: “We have a presence online, but we’re predominantly a face-to-face lender. We have over 75 offices with many new and repeat customers coming in to discuss a loan, as well as part-time staff for cleaning, security and maintenance. As a result, we knew network authentication was an obvious vulnerability.”

Shifting Focus to Network Authentication

Implementing a solution for network authentication was a logical next step for Sheehan’s IT team. Given the increased branch foot traffic, the company needed to ensure it had total device awareness across the network. “This was a concern voiced to our new CTO when he came on board. He agreed, so we went about looking at different tools for network authentication and access control,” said Sheehan.

Another factor driving a focus on NAC was staff turnover. “Like every company, we have staff that leave us, and we need to ensure they can no longer access our network after they’ve departed,” said Sheehan. At that point in time, Everyday Loans knew that it’s usage of a hidden SSID paired with a PSK was not up to snuff from a security standpoint. As Sheehan and his team began to research potential solutions for network authentication and access control, two requirements became apparent:

• They had no desire to build upon their existing on-prem or virtual footprint; adding maintenance tasks to the laundry list of other IT responsibilities was a non-starter
• The company wanted a SaaS solution that could support its existing cloud-native hardware – primarily Meraki network devices and ChromeBox endpoints

Considering Network Access Control Options

Sheehan and his team found themselves at a crossroads as they mulled over these requirements. “We were either going to double down and stand-up another datacenter as part of a general infrastructure expansion initiative which would also enable us to deploy network access control on-premises, or we were going to go out and find a cloud-native NAC solution that fit our needs,” Sheehan said.

Portnox CLEAR was the only true cloud-native NAC we could find with the deployment and support model we wanted.

-Tony Sheehan, Head of IT at Everyday Loans

Having considered Microsoft NPS for RADIUS authentication and 802.1X, and Cisco ISE for full network access control, Sheehan and Everyday Loans’ IT team made the executive decision that neither tool was suited to their existing network security needs, internal skillsets, resource bandwidth or networking infrastructure. “We came across Portnox CLEAR fairly quickly thanks to the help of our partner, Haptic Networks,” Sheehan continued. “It was the only true cloud–native NAC we could find with the deployment and support model we wanted. Each of the other vendors had some solutions that were close in functionality, but in the end, they didn’t cover our needs totally – either functionally or operationally in terms of their ease-of-use. Ultimately, we went with Portnox CLEAR since it provided coverage across all our network devices and connected endpoints.” 

Up & Running with Portnox CLEAR

After beginning a proof of concept of Portnox’s cloud-native NAC-as-a-Service, Everyday Loans ruled out competing alternatives. “It worked as expected. After comparing Portnox CLEAR’s robust, easy-to-use functionality to that of the other vendors up for consideration, we soon dismissed alternatives as they did not meet our technical security requirements,” Sheehan said.

The trial continued and Sheehan’s team threw every possible authentication and access control use case they could conjure up at the system to test its durability.

“Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest devices,” Sheehan went on to say.

Anyone with good network experience will pick up Portnox CLEAR with ease – it’s just a case of ensuring how you setup the network hardware and what control you have over employee and guest device.

-Tony Sheehan, Head of IT at Everyday Loans

Everyday Loans was able to deploy Portnox CLEAR across its 75 sites with relative ease, saving the company’s headquarters for last. “Portnox CLEAR has exceeded my expectations. Now that it is fully deployed, the visibility and control we have of users authenticating to the network is unparalleled,” Sheehan concluded.

“It is a huge bonus that the system easily integrates with Azure Active Directory and provides its own certificate authority out-of-the-box. Having multiple methods for authentications helps us ensure all our bases are covered. The solution has been reliable from day one.”

Why is Antivirus Essential?

Antivirus software helps protect computers against malware and cybercriminals. Antivirus software looks at data – web pages, files, software, applications – traveling over the network to your devices. It searches for known threats and monitors the behavior of all programs, flagging suspicious behavior. It seeks to block or remove malware as quickly as possible.

Antivirus protection is essential, given the array of constantly-emerging cyber threats. If you don’t have protective software installed, you could be at risk of picking up a virus or being targeted by other malicious software that can remain undetected and wreak havoc on your computer and mobile devices.

Necessary Antivirus Capabilities

Real-time Scanning

While all antivirus software is specifically designed to detect the presence of malware, not all of them detect in the same way. Ineffective products force you to run a manual scan to determine if any systems have been affected, while the best forms of software have dynamic scanning features that are repeatedly checking your computer for the presence of malicious entities. Without this feature, it’s much easier for something to infiltrate a device and begin causing damage before you even realize it.

Automatic Updates

Updates are vital for all forms of software, but this is especially true when it comes to antivirus. Because new types of malware are constantly being developed, antivirus software needs frequent updates in order to track and contain new threats that didn’t even exist when it was first installed. If you have to install updates manually, you might miss important new protections and expose your system to infection, so always make sure your antivirus software is capable of installing updates automatically and frequently.

Protection for Multiple Apps

Threats exist across the entire spectrum of applications and services that you rely on for your everyday tasks. From email clients, to your CRM, ERP, and beyond, harmful software can sneak into systems from a variety of different sources. Antivirus programs need to protect multiple vulnerable applications from potential dangers.

Auto-Clean

If the antivirus software immediately detects malicious software, why wouldn’t it delete the code on the spot? Unfortunately, some solutions simply place the malware in a quarantine zone upon detection, waiting for the user to log on and manually delete it. You should choose a program that utilizes an auto-clean feature to rid itself of viruses.

Fights Against All Types of Malware

Between trojans, bots, spyware, viruses, etc., there are many different types of malware that can harm your computer, and antivirus programs are sometimes designed only to target a specific type of software. It’s better to go with a program that can comprehensively detect all forms of malware.

Why is 802.1x Network Access Control Essential?

802.1x network access control is a technology that enables organizations to enact its own unique policy for how and when endpoints (desktops, laptops, smartphones, etc.) can connect to their corporate networks. NAC solutions are typically designed to allow IT security teams to gain visibility of each device trying to access its network, and specifically the type of device and access layer being used (i.e. wifi, wired ports, or VPN).

Today, 802.1x network access control provides a number of powerful features on top of what it was originally designed for years ago. These include security posture assessments for endpoints, which pinpoints any associated endpoint risks, allowing network security administrators to control network access based on their organization’s risk tolerance threshold.

With the rise of cloud computing, remote workforces, bring-your-own-device (BYOD) policies, and the internet of things (IoT), network access control has become a much more critical part of the larger cybersecurity technology stack at most companies. The technology itself has also evolved quite drastically in response to these emerging trends and their impact on networking and ensuring network security.

Key Functionality to Consider When Deploying a NAC Solution

Network Visibility & Device Discovery

A NAC solution discovers and identifies all devices/users in the network before they are granted network access, requiring continuous monitoring of the network and devices connected to it. The system enables the discovery, classification and assessment of every device connected to the network. Configuration and security state of every device is monitored, ensuring that the network and devices are compliant to the organizational security policy.

Full Access Layer Coverage

As today’s networks explode in size and scope, particularly with remote workforces on the rise, it’s imperative that your 802.1x network access control solution can manage access control across all existing access layers. This includes the obvious – wired ports and WiFi. It also must be able to manage the various remote access methods used within your organization. These may include VPN, Teleworker Gateways, and beyond.

Authentication Services

Traditionally, enterprises have enabled network authentication via usernames and passwords. As we now know today, this method of authentication can be easily compromised by bad actors, making it no longer sufficiently secure for enforcing network access control. Any NAC worth its salt should offer several methods for authentication, including: role-based, MAC authentication bypass (MAB), and certificate authority.

Device On-Boarding

Business units and even departments (think Finance & Accounting, for example) often have their own VLANs since they’re dealing with very sensitive, confidential data. The task of setting up such VLANs and onboarding new devices is just one of dozens of tasks overseen by frequently overburdened IT teams. So, if not done correctly at first, it can open the door to potential network vulnerabilities, such as a person gaining access to a part of the network he/she should not have the privileges for. At a small scale, managing access manually is often sufficient. For larger organizations, however, this just isn’t sustainable. As a result, many large organizations that don’t have a secure onboarding process will often compromise on network security hygiene.

Policy Configuration

Network security teams define and activate access control policies to control device access to the corporate network, which is ultimately based on the device authorization state. Once a device is authorized for network access, a network access policy determines which specific virtual LAN (VLAN) that device or user is directed to. On top of that, the policy also defines, for each type of authorization violation, whether to deny entry or whether to quarantine the device by assigning it to a specific VLAN or apply an access control list (ACL).

Endpoint Risk Monitoring

Your corporate network is only as strong as its weakest security link. This means continuous risk posture assessment is paramount. By continually monitoring the network, your network and security teams can stay ahead of cyberattacks with the ability to identify new risks in real-time, react to these risks, and take action. In a world with ever-expanding boundaries and an exponential increase in types of endpoints, continuous risk posture assessment must function no matter location, device type, or the type of data being transferred.

Device Remediation

Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of attacks but also allow for business continuity. Effective endpoint remediation consists of:

• Automated Patch Updates Across the Network – Enforce necessary patch, anti-virus, operating system, and application updates across managed and unmanaged endpoints.
• Immediate Incident Response – Contain ransomware events by remotely disconnecting endpoints from the network without the need for manual intervention.
• Armed Incident Response Teams – Arm IT professionals and network admins with the ability to remotely take actions on employees’ devices. The proliferation of IoT devices over the last decade has prompted a growing number of network security concerns. With all of these devices – printers, CCTV cameras, ATMs, MRI machines, etc. – now connected to their respective networks, it’s exponentially expanding corporate threat surfaces.

Compliance Enforcement

NAC is used to enforce regulatory policies and maintain compliance across the organization. In practice, this typically means:

• Understanding how mobile, BYOD, and IoT devices will affect and transform not only the organization but the industry and implementing the right processes and tools control them.
• Tracking any network related device or program in real-time via a centrally secured platform providing full and actionable visibility.
• Controlling access to the network and to cloud applications, even based on the geographical locations of users.
• Ensuring that the business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.

1. Plan for Professional Services Fees

Cisco ISE is a large, cumbersome and complex application and it’s unlikely you’ll have the internal resources to throw at an upgrade. You’re not alone. This is why managed service providers exist, after all. Now with that said, you can expect to be quoted anywhere from 40-65 hours of professional services to initiate, test and complete a full Cisco ISE upgrade. Let’s hope it’s for chronological versions, and not for a significant jump if you’ve been running on a single version for years without upgrading.

Depending on the firm you contract for the work, you’ll probably see a range of hourly rates – anywhere from $175-250/hour. So, if we do the math, that’s $7,000 on the low end and $16,250 on the high end. In some cases, ISE customers have even reported paying more for third-party upgrade support. Mind you, Cisco ISE is also a product you’ve already paid for.

2. Set Aside Enough Time

It’s not hard to find the Cisco ISE horror stories on Reddit and other online communities where people have taken to detailing their ISE upgrade experiences. In more tragic cases, some ISE customers have taken to these threads to seek real-time help from strangers. The reality is that you cannot and should not rush an ISE upgrade. 10 times out of 10, those who have lived through it will suggest testing the upgrade in your lab before pushing live to production. This means setting aside the appropriate amount of time conduct the upgrade and minimize the failures (more on that below).

Configuration is complicated, and the 50+ page system upgrade checklists are a testament to that. If you’re going to manage an ISE upgrade in-house, prepare for more than 40 hours – especially if you’re not an ISE expert. And if things go awry, don’t expect prompt support from Cisco TAC.

3. Prepare for Failure

There’s a reason that Cisco provides extensive documentation for potential ISE upgrade failures – it happens a lot – especially if you opted to tackle it head on internally after balking at the above PS costs. Ultimately, planning for failure means planning for service downtime altogether. To minimize the impact on operations from service downtime, you’ll likely need to spend the weekend parsing through pages and pages of ISE upgrade instructions – missing your kid’s soccer game, unable to take your wife out to dinner, and not watching your alma mater play in the big bowl game.

Sometimes, in multi-server deployments, some of your servers in the infrastructure will not upgrade successfully. If that happens, you’ll have to rebuild the server as a new node and re-join the cluster. Sounds fun, right?

4. Be Mindful of Your Subscription

We all like auto-pay and auto-renew for some of our everyday subscriptions. It’s a little different when you’re talking about a large, enterprise application, however. You should be mindful that Cisco ISE subscriptions automatically renew for an additional 12-month term by default unless auto-renewal is deselected at the time of initial order. Three months before the end of the initial term, renewal notices will be sent to you, and you’ll or partner receive an invoice at the start of the new term.

Now, you can cancel a renewal up to 60 days prior to the start date of the new term, but if the subscription is not cancelled 60 days prior to the start of the new term, the subscription will auto-renew. Mid-term cancellations of subscriptions for credit are not allowed. Starting with the release of Cisco ISE 3.0, licenses have changed and you should check carefully to see if you can import your old license or if you need to migrate to the new license method entirely.

There IS an Alternative

With Portnox CLEAR – the first and only cloud-delivered NAC-as-aService – organizations gain actionable network visibility and continuous risk monitoring of all endpoints across all access layers – no matter device type or geo-location. Portnox CLEAR determines device type, location and level of access for every user on the network. Additionally, the platform can identify operating systems, installed applications, services, certificates and more – helping your IT team ensure compliance across the entire workforce.

With access control based on 802.1X protocol, network administrators can block rogue devices, quarantine noncompliant endpoints, limit access to specified resources and more – whatever your internal policy calls for. As a cloud-delivered solution, Portnox CLEAR is simple to configure, deploy and maintain. With built-in integrations to AzureAD, Okta, Microsoft Intune, Palo Alto Networks and more, you can easily mesh your network access control with your existing tech stack and remain as streamlined as ever.

Portnox is SOC-certified, GDPR ready, and can help organizations in preparation for regulatory compliance, such as PCI, HIPAA and more. All customer data is encrypted in-motion or at rest, user credentials never leave the organization, and administrators can be set to use MFA.