Re: Network "Change Management"
From: Jerry Patterson (webgooroo_at_gmail.com)
Date: Fri, 24 Sep 2004 21:08:59 -0400 To: Marty Armstrong <email@example.com>
The replies you already received are very thorough. One point I'd
like to add is, regarding "1. If it is a managed switch, you should be
able to configure it to only allow MACs on a given list, hence
preventing new boxes from even getting a layer 2 connection." On the
Cisco switches I've worked with, you can actually bind specific MAC
addresses to specific ports, which could take this one step further.
On Mon, 20 Sep 2004 12:34:32 -0700, Marty Armstrong
> Yes, try http://www.netreg.org/ NetReg: Automated DHCP Registration System it is used by the education sector. Its open source and Linux os based.
> -Marty Armstrong
> PatchLink Corporation
> -----Original Message-----
> -----Original Message-----
> From: Zow" Terry Brugger [mailto:firstname.lastname@example.org]
> Sent: Thu 9/16/2004 12:24 PM
> To: Dave Torre
> Cc: email@example.com
> Subject: Re: Network "Change Management"
> > Does anyone know of a Linux utility that can watch the MAC address
> > tables in Cisco switches and alert admins as to when a new device has
> > been plugged in?
> I don't work with Cisco switches too much, however you may be able to
> configure it to send an snmp alert to your Linux box when a new device is
> plugged in. You'd then use snmp-util (or whatever it's called these days) to
> handle the message on the Linux side.
> Alternatively you can set up arpwatch on your Linux box and periodically ping
> your whole range of IPs. Arpwatch will alert you when it sees new or changed
> MAC addresses for those IPs.
> > Basically, we have your standard client network with DHCP. Internet
> > access is restricted to authenticated users, and so are the file shares.
> > However, we've had a few instances where people just plug in their
> > personal laptops which makes me very worried...
> Okay, then a couple other things you might want to consider:
> 1. If it is a managed switch, you should be able to configure it to only
> allow MACs on a given list, hence preventing new boxes from even getting a
> layer 2 connection.
> 2. Set up the dhcp server to only allocate IPs to certain MAC addresses.
> 3. You should be able to get dhcpd to report to you when it allocates to a
> previously unseen MAC address (probably by throwing together some scripts to
> parse the log messages and comparing the MACs in them to a list).
> Of course, all of the above are assuming that someone isn't spoofing their
> MAC address to one that you allow on your network. Typically someone has to
> be deliberately malicious to do that though, so the above strategies
> (especially blocking based on MAC) are good for stopping people from
> connecting up their personal laptop and infecting the network with the worm
> du jure. The best prevention against MAC spoofing is to trust your users.
> Hope this helps,