Re: Network "Change Management"

From: Jerry Patterson (webgooroo_at_gmail.com)
Date: 09/25/04

  • Next message: Jorge Alfredo Garcia: "Re: iptables & tcp wrappers"
    Date: Fri, 24 Sep 2004 21:08:59 -0400
    To: Marty Armstrong <martya@patchlink.com>
    
    

    The replies you already received are very thorough. One point I'd
    like to add is, regarding "1. If it is a managed switch, you should be
    able to configure it to only allow MACs on a given list, hence
    preventing new boxes from even getting a layer 2 connection." On the
    Cisco switches I've worked with, you can actually bind specific MAC
    addresses to specific ports, which could take this one step further.

    Jerry

    On Mon, 20 Sep 2004 12:34:32 -0700, Marty Armstrong
    <martya@patchlink.com> wrote:
    >
    > Yes, try http://www.netreg.org/ NetReg: Automated DHCP Registration System it is used by the education sector. Its open source and Linux os based.
    >
    > -Marty Armstrong
    > PatchLink Corporation
    > -----Original Message-----
    >
    > -----Original Message-----
    > From: Zow" Terry Brugger [mailto:zow@llnl.gov]
    > Sent: Thu 9/16/2004 12:24 PM
    > To: Dave Torre
    > Cc: focus-linux@securityfocus.com
    > Subject: Re: Network "Change Management"
    >
    > Dave,
    >
    > > Does anyone know of a Linux utility that can watch the MAC address
    > > tables in Cisco switches and alert admins as to when a new device has
    > > been plugged in?
    >
    > I don't work with Cisco switches too much, however you may be able to
    > configure it to send an snmp alert to your Linux box when a new device is
    > plugged in. You'd then use snmp-util (or whatever it's called these days) to
    > handle the message on the Linux side.
    >
    > Alternatively you can set up arpwatch on your Linux box and periodically ping
    > your whole range of IPs. Arpwatch will alert you when it sees new or changed
    > MAC addresses for those IPs.
    >
    > > Basically, we have your standard client network with DHCP. Internet
    > > access is restricted to authenticated users, and so are the file shares.
    > > However, we've had a few instances where people just plug in their
    > > personal laptops which makes me very worried...
    >
    > Okay, then a couple other things you might want to consider:
    > 1. If it is a managed switch, you should be able to configure it to only
    > allow MACs on a given list, hence preventing new boxes from even getting a
    > layer 2 connection.
    > 2. Set up the dhcp server to only allocate IPs to certain MAC addresses.
    > 3. You should be able to get dhcpd to report to you when it allocates to a
    > previously unseen MAC address (probably by throwing together some scripts to
    > parse the log messages and comparing the MACs in them to a list).
    >
    > Of course, all of the above are assuming that someone isn't spoofing their
    > MAC address to one that you allow on your network. Typically someone has to
    > be deliberately malicious to do that though, so the above strategies
    > (especially blocking based on MAC) are good for stopping people from
    > connecting up their personal laptop and infecting the network with the worm
    > du jure. The best prevention against MAC spoofing is to trust your users.
    >
    > Hope this helps,
    > Terry
    >
    >


  • Next message: Jorge Alfredo Garcia: "Re: iptables & tcp wrappers"