802.1X bypass / MAC spoof prevention

Question

I was wondering if it's possible to prevent MAC spoofing / 802.1X bypass techniques as described here: https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf

I have searched for a while now, and the only thing I can find is MACSec. The problem with other prevention methods is that they often rely on associating the user's MAC address with their IP address. This cannot be done because the attack described in the article spoofs both IP and MAC address. MACSec is a newer technique not supported by many vendors.

Other thoughts:

• Would IPSec or VPN help against this?
• Users need physical access to the network for the attack to work
• Maybe some device fingerprinting would work to prevent this

Any suggestions are welcome, thanks!

Answer 1

After several days of additional research, I have come to a conclusion.

802.1X bypass / MAC spoofing cannot be prevented directly, its risks, however, can be mitigated.

Passive fingerprinting techniques can be used to determine if the host's operating system has changed. When it does, the host can be excluded from the network. There are probably NAC vendors which implement this (not verified nor researched).

MACSec can be used to mitigate all risk. An attacker would be able to capture MAC-addresses and spoof them, but no packets can be sent to machines as the encryption key is not known to the attacker (well, let's assume it's not, otherwise you have a bigger problem).

Same goes for IPSec. It can be used to mitigate most of the risk as long as the encryption key is not compromised. Downside to IPSec compared to MACSec is that IPSec does not protect against layer two attacks (e.g. ARP poisoning).

Statements based on me trying the stuff out on a test setup with two computers and a switch.