Re: Changing the mac address on Windows 2000 and XP

[David Siles <ctowizkid () gmail com>]

I will add my two cents for catching the MAC changes, we do a few
things in our environment

1.)  We use port level security with sticky mac addresses.  We only
let MAC addresses we know that are assigned to certain port talk on
the network.  However, this begs the problem that if I were going to
jack in and knew this, I would spoof my MAC so it lets me on.

2.)  We use KIWI CatTools and dump all the port, arp, and mac tables
from our switches many times a day and have inhouse, home grown
scripts that look at the delta changes between the reports.  We also
drop this data in a backend MySQL db that keeps a record of when a MAC
was first seen on our network, what ports it has shown up on, and when
a new MAC was been introduced on a port security port that didn't meet
the defined MAC we were expecting.

3.)  We have implemented Clean Access and all machines not carrying
the trust agent get stuck in a cinderella network, while we are
alerted, and let it go no where.  This is where we count act point
number one where someone with a SMAC spoofing their MAC address who
jacks in my network, but doesn't carry the agent really gets pointed
out.  Especially if the machine carrying the MAC that is spoofed is
assigned to a machine we know that should be carrying the trust agent.

4.)  The one realm that makes this harder, put still catchable is good
old wireless.  We can't do the sticky macs, and spoofing macs across
the wifi is an age old fun one.  Especially when using the AP's MAC
itself.  We use a number of systems that I won't enumerate here, but
some good searches in good old Google will get you the systems that
will help here.

Regards,

Dave

On 6 Jul 2005 04:05:15 -0000, blanketyblank () blank com
<blanketyblank () blank com> wrote:
> http://amac.paqtool.com/
>
> If there is a tool to change it, there is a tool to detect the change.
>
> Or simply lock them out at the router.
>
> :)