What's On Your Network?

An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."

Company policy enforcement?

[lecithin]

Great article!!!

I know of many (perhaps most) large corperations have incorporated strong policies regarding what an employee can plug into a network. Does this help the problem with unwanted 'network use' or do the policies get ignored?

Re:Company policy enforcement?

[Donniedarkness]

Where I used to work, we had a network of 2000+ computers. While we did check in on most of the students and falculty to see if they were violating the rules, we usually did not give them the harsh punishments that we were promising in our usage guidelines. Most often, we'd simply block whatever port they were using (if it was a game or something), or just take them off the network for a while.

Re:Company policy enforcement?

[SpaceLifeForm]

If company policy mandates using Windows, well, you are going to have problems anyway.

Plugging other machines that are non-Windows is not likely to create near as many problems. The exception to that would be wifi that is not properly secured (default settings).

It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.

And company policy will not stop that anyway.

Re:Company policy enforcement?

[NutscrapeSucks]

FUD. A Unix machine running NFS is an automatic security problem.

Re:Company policy enforcement?

[dotgain]

That's why a lot of folks use Samba itself instead of NFS for filesharing between 'nixes. Of course, you do only get a completely different set of limitations.

Re:Company policy enforcement?

[einhverfr]

FUD. A Unix machine running NFS is an automatic security problem.

FUD. NFS has its uses. Just don't let untrusted (i.e. generally used desktops, etc) have direct access to it.

The better solution is to use NFS as a fast setup for sharing disk space between a number of servers (say, for load balanced web servers running CPU-bound scripts) and read-only NFS for home directories with read-write AFS subdirectories (via symlinks?) used for anything important (things have to be done this way because AFS cannot be accessed during the login process due to credential issues).

NFS is not an *automatic* security problem. It is just a *likely* security problem.

Re:Company policy enforcement?

[NutscrapeSucks]

Yes, but we're talking about random laptops plugged into your network, not designed configurations.

Re:Company policy enforcement?

[einhverfr]

I try to keep r/w NFS shares off the portions of the network that are used by people doing normal work.

Read only NFS is a good way to get around the limitations inherent in AFS, however, which was my main point.

r/w NFS is somewhat dangerous, especially if it is used in an environment where anyone can use any arbitrary computer system that they bring in from home. If you get someone's UID, you can alter your /etc/passwd and get access to their files.

But if you use it primarily as a content serving mechanism (read-only) where authentication is unimportant (public web content, f. ex.), you don't have this problem. Anywhere else, you have to use AFS.

Again, note that AFS *cannot* be accessed during the login process, which means you *cannot* store your entire home directory over AFS. Instead, you have to use a generic (read-only) NFS tree with symlinks to AFS shares. In this way, NFS is quite safe.

Re:Company policy enforcement?

[Cramer]

...you *cannot* store your entire home directory over AFS...

This is 100% bullshit. I don't know how screwed up your network is, but it certainly is possible to place user homes inside AFS. Many an institution has done just this -- and for nearly 2 decades, even. (NCSU has been doing this since about 1986.)

What needs to be accessed in a user's home directory prior to authentication? The only thing that comes to mind is ssh keys (~/.ssh/authorized_keys), and they only need to be readable by the host and/or sshd which can be easily handled. (and technically, they don't have to be in the user's home.)

Re:Company policy enforcement?

[NutscrapeSucks]

I try to keep r/w NFS shares off the portions of the network that are used by people doing normal work.

Good for you, but again the point is that you need some sort of MAC or port security to really do this.

Otherwise it's the same argument as the Windows guy who patches routinely but gets attacked by the random consultant laptop.

Re:Company policy enforcement?

[jschottm]

Plugging other machines that are non-Windows is not likely to create near as many problems.

Plugging in anything without a compentent admin can create problems. The hordes of owned Linux machines banging away on ssh is proof of that. The theory is that the company hires competent people to keep the work machines secure and bans all other machines because they have no way to guarantee that the desktop jockey who wants to run his/her own machine can and will do so. It also helps with software licensing issues and means that JeFF!!1! over in accounting doesn't get overly enthusiastic with security, put company documents on an encrypted OpenBSD system, and then get hit by a bus the next day, taking the password with him.

It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.

And company policy will not stop that anyway.

It can make it a whole lot easier to get rid of them if they try something, particularly in government jobs where dismissing someone can take an act of god. If there's no stated policy against putting your ethernet card in promiscuous mode and sniffing traffic, an employee has much more wiggle room if you call them on it.

Re:Company policy enforcement?

[einhverfr]

This is 100% bullshit. I don't know how screwed up your network is, but it certainly is possible to place user homes inside AFS. Many an institution has done just this -- and for nearly 2 decades, even. (NCSU has been doing this since
about 1986.)

On further research, incorrect but certainly not 100% bullshit. Most of the information I had was outdated based on deployments made out of concerns of supportability.

The problem occurs when AFS and MIT Kerberos are used on the same network. kinit can only talk to one because they use different string-to-key algorythms. Once you have the TGT, both work. But it is a bit of a problem if you rely on general kerberos tools.

In short, it can be done, but you have to hack the tools to do it. (Doesn't work out of the box).

Note these were mostly with established (Kerberos 4) systems. (AFS incorporates an incompatible dialect of Kerberos 4 for its authentication).

Currently there are a number of ways to actually get it working now. But it is still not "out of the box" especially if you want to run Kerberos V.

I'm more worried about my home network.

Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc. Oh and stupid Linksys router querying my ISP's domain name servers to find out where 198.162.1.104 is and dumb shite like that, strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.

Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whilst tcpdump only grabs the headers no matter how big I make the snarfen -s thing or if I do -vv still only grabs the headers. It's like they both see different things.

Thanks for any help

Re:I'm more worried about my home network.

Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc.

Uh, if you're not using Windows sharing and AFP file sharing, why not turn them off? Just an idea. It's not really a "lot of network noise" if you're using it -- it's traffic doing something.

Re:I'm more worried about my home network.

I do use AFP between Macs, Windows sharing isn't on. I think the thing that keeps announcing itself as Netbios is something to do with Rendezvous or AFP. I recall reading you can't easily turn off Rendezvous/bonjour.

The router was making a lot of extra noise with the stupid UPnP feature until I deactivated that.

Re:I'm more worried about my home network.

tcpflow purposely displays data ONLY and tries to format it so it's human-readable. It doesn't display the lower level stuff which is what tools like tcpdump, ethereal, etc are good for.

Re:I'm more worried about my home network.

[Guy+Harris]

Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc.

Presumably by "AFP" you mean "AppleTalk" - I wouldn't expect to see Apple File Protocol traffic unless some machine is accessing a file server. Perhaps the Macs are sending some sort of AppleTalk broadcast announcements.

What sort of NetBIOS traffic are you seeing?

Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whilst tcpdump only grabs the headers no matter how big I make the snarfen -s thing or if I do -vv still only grabs the headers.

What tcpdump "grabs", in the sense of getting from the OS's packet capture mechanism, is controlled by "-s", and that does work; "-v" doesn't affect what it captures.

"-v" controls what it displays, and tcpdump displays a summary of the packet or, with "-v" or higher levels of verbosity, some amount of detail about some packets. You can get it to display raw packet data with "-x" or, with newer versions, "-X".

Re:I'm more worried about my home network.

[Guy+Harris]

I do use AFP between Macs

Then you will, of course, see AFP "noise" on your network, although I wouldn't call it "noise" if you're intentionally using it. You might get broadcast or multicast announcements of service from the machines acting as servers.

I think the thing that keeps announcing itself as Netbios is something to do with Rendezvous or AFP.

Unlikely - Rendezvous^H^H^H^H^H^H^H^H^HBonjour is, among other things, a mechanism for announcing services, so Bonjour-related stuff wouldn't need to use NetBIOS to announce itself. Similarly, AFP uses either AppleTalk or Bonjour mechanisms to announce itself.

What are the details of the NetBIOS announcement packets?

Re:I'm more worried about my home network.

[macshome]

Turn off SMB browsing in Directory Access and your Mac should stop trying to find WINS servers and such.

Generally, turn off all the discovery protocols you don't need. On most Macs that means just leaving Bonjour or Rendezvous on these days and maybe AppleTalk for old printers. Typically you can turn off SLP, SMB/CIFS, and AppleTalk.

Re:I'm more worried about my home network.

Well I don't know it just says netbios-ns (name server?)

255.136.120.nis > 255.212.138.253: nbp-reply 31: "othermac:AFPServer@*"(0) 249
20:23:45.550967 255.212.138.253 > 0.0.nis: nbp-lkup 32: "=:AFPServer@*"
20:23:45.551331 255.136.120.nis > 255.212.138.253: nbp-reply 32: "othermac:AFPServer@*"(0) 249
20:23:45.554083 IP 192.168.1.100.55283 > 239.255.255.253.svrloc: UDP, length: 36
20:23:45.554457 IP 192.168.1.100.55284 > 239.255.255.253.svrloc: UDP, length: 36
20:23:45.554757 IP 192.168.1.100.55285 > 239.255.255.253.svrloc: UDP, length: 36
20:23:45.555122 IP 192.168.1.100.55286 > 239.255.255.253.svrloc: UDP, length: 36
20:23:45.768035 IP 192.168.1.100.55287 > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:23:46.038713 IP 192.168.1.100.55287 > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
20:23:46.217246 IP 192.168.1.100.55288 > ns3.myisp.com.domain: 46753+ PTR? 253.255.255.239.in-addr.arpa. (46)
20:23:46.225959 IP ns3.myisp.com.domain > 192.168.1.100.55288: 46753 NXDomain 0/1/0 (103)
20:23:46.230553 IP 192.168.1.100.55289 > ns3.myisp.com.domain: 35693+ PTR? 255.1.168.192.in-addr.arpa. (44)
20:23:46.238283 IP ns3.myisp.com.domain > 192.168.1.100.55289: 35693 NXDomain 0/1/0 (121)

Also concerning is that Safari seemed to be 'announcing' a couple of RSS bookmarks across the network in 10.4.1. I haven't got a dump of that right now unfortunately and haven't tested that since I upgraded to 10.4.2 but it would periodically blurt out a couple of RSS bookmarks if you were listening on the network from a different machine.

Thanks for all the help guys, I can't respond to all the replies because slashdot won't let me post too many in a a short time frame. But I have read them all cheers ACs, Guy and macshome etc.

Re:I'm more worried about my home network.

[TCM]

strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.

Umm, WHAT? Can you elaborate? This sounds like NAT without a filter. I often seen packets from 192.168.0.2 trying to enter my border router(!). NAT is no security measure!

Re:I'm more worried about my home network.

Try tethereal, or ngrep, or even snort. All make decent command line sniffers for different needs.

Re:I'm more worried about my home network.

[Guy+Harris]

Well I don't know it just says netbios-ns (name server?)

Or "name service" - see RFC 1001 and RFC 1002 (NetBIOS Name Service for NetBIOS-over-TCP, a/k/a "NBT", which, the name nonwithstanding, uses UDP for some functions).

20:23:45.768035 IP 192.168.1.100.55287 > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

That's a NetBIOS Name Service query; I'd only expect to see that if you're doing SMB mounts from an SMB server (Windows, Samba, etc.) or perhaps if you're running Samba - but you said Windows file sharing is turned off, so, if that refers to OS X Macs, they're not running Samba.

You might want to use Ethereal or Tethereal to look at those packets - you'll get a bit more detail, including the name of the host it's looking for, which might give more information to help figure out what's sending those requests.

(Perhaps it's time to improve the tcpdump code a bit and show, when decoding the NetBIOS Name Service traffic, what the name being looked up is. A lot of the code could be taken from tcpdump's DNS decoder.)

Re:I'm more worried about my home network.

[Guy+Harris]

Perhaps it's time to improve the tcpdump code a bit and show, when decoding the NetBIOS Name Service traffic, what the name being looked up is.

It already does, but you need to run with "-vv".

Re:I'm more worried about my home network.

[Guy+Harris]

Turn off SMB browsing in Directory Access and your Mac should stop trying to find WINS servers and such.

OK, that might be where the NBNS broadcasts are coming from.

Re:I'm more worried about my home network.

Yeah thanks all, i was in idiot, I thought I had turned off SMB in Directory Access ages ago, but in fact I hadn't. Now I that have, the NBNS stuff is gone.

Many thanks

Maybe this is just me...

[PhilipPeake]

but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?

Re:Maybe this is just me...

[cavtroop]

Also, try to remember that most companies IT departments are still short staffed, and pro-active monitoring like network scanning, etc. gets put way on the back burner. I agree with you, and am just playing devils advocate here :)

Re:Maybe this is just me...

[Homology]

but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?

Sure, where the employer can pay for it you'll have very good administrators, be it Windows or not. On most smaller sites, the administrator is not a full-time administrator, and is doing administration ad-hoc to his real job. This usually means that he does not have much training in this, nor much time for it either. Now, with all these (useful) Plug-and-Play devices you are bound to have some problems.

Re:Maybe this is just me...

just a FWIW.....

I've interviewed for 2 'Network Administrator' positions in the last month. Both were, at best, nothing but glorified help desk positions. Inflated titles were common place with attitudes amounting to "planning? We don't need no steeenkeen planning" and a 'tech consultant' whose most technical comment was OSX was based on BSD (and not only couldn't identify *which* one, appeared to be unaware there was more than one). One 'Director' I spoke with came across as barely being a manager with repeated "I have to check with my boss about that" comments.

So, to answer your questions:
Yes, I would think this is what a competent Network Engineer should be doing. But, given what passes for competence in the business world, I'm amazed society as a whole hasn't collapsed.

And, don't get me started on HR....

Re:Maybe this is just me...

[Canberra+Bob]

Not so simple - a place I worked for (a large telco) tried shutting down all non-approved systems. You know what happened? A large number of departments came to a screeching halt as so many depended on non-approved in-house servers etc and everything was quickly re-activated. Security doesnt come at the expense of line of business activities - its the LOB that produces the income. Any IT manager that decided that the company could lose millions upon millions in revenue because he wanted to secure the network would have his head kicked in. Having draconian approval processes for custom in-house systems didnt exactly move managers to try to get their systems approved either. Generally there is an ideal scenario, and the practical one, and the two are not the same.

Re:Maybe this is just me...

Well, Philip, when you become a big boy, and work in what we like to call "the real world", you'll find that things aren't as simple as you always believed them to be. No one, no matter how good, can keep track of everything on even a medium-sized network. Only activate ports as they're needed to prevent unauthorized access? Yeah, 'cause nobody's noticed the $10 hubs and switches for sale at Wal-Mart. Routine scanning to identify unauthorized systems on the network? Uh-huh, because everyone has the resources to put into that. (Especially with segmented networks, firewalled DMZs, WANs with too little bandwidth for the extra traffic of an in-depth scan, etc...)

Dipshit comments like this are the reason working in IT is so painful these days. If it's not idiot managers with impossible demands, it's know-it-all "technical people" who think professional administration is as easy as maintaining their home network.

Re:Maybe this is just me...

To pull some numbers from my ass, a company probably needs about 3000 employees and 5 different sites before hiring a dedicated network engineer.

Before then, the Cisco work is done outside contractors (install and leave) or ad-hoc by Unix and Windows sysadmins who can configure the IP stuff but don't do any sort of monitoring, etc.

Re:Maybe this is just me...

[Ambush+Commander]

This article probably isn't talking about home wireless networks but I know for my network "it just works" and we leave it at that. Main problem is when we enable encryption, service lasts about 1 minute and then disconnects. We've never been able to troubleshoot this problem, and thus we're stuck passing all of our data over an unencrypted connection.

Interestingly, our neighbor doesn't encrypt their network either, so if our Internet goes out, we can always piggyback off the neighbors connection. But that's even worse security. And one of these days we're going to pay for it.

On another note, Windows networks are notoriously difficult to secure. I've worked with the Skidmore computer lab, and not too long ago that had a problem with a virus bringing down the entire grid (they ended up restricting CTY students from their labs) but the way the "secure" their networks is basically wipe everything when the computers are turned off. There are, of course, several problems.

• It doesn't work for all computers.
• Some computers are not shut off at all.
• You're giving the equivalent of "administrative access" while the computer stays on, so serious damage can be achieved during the time when the computer stays on."
• You can also log onto the computer itself (with administrative access too) and that's not wiped.
• There are no automatic logout policies to deter inappropriate use of terminals.

Re:Maybe this is just me...

[einhverfr]

Well... Here is my attitude towards the whole thing... Sudden enforcement is generally a problem for reasons you mention.

However, when you are planning or deploying your network, it makes sense to add filters to nearly all routers (a standard filter set) which allows you to monitor for certain types of common misconfigurations and problems. This can be largely automated so you don't have to dedicate a large amount of manpower to reading and parsing through logs. Ideally such a router management infrastructure would require very little overhead to manage.

When something turns up, you need to investiate it. Find out what is going on. If it is an in-house server some department is running, find out what it is doing, discuss what needs to be done about it, and find out what you can do to add the required functionality to your server infrastructure (one possibility is to grant the department some level of approval in operating the server if it is important to the business).

Security exists in a balance with LOB requirements. Heavily pushing one or the other side is a recipe for business failure.

Re:Maybe this is just me...

[Barkmullz]

"...is this level of admin common in Windows environments?"

No.

You get what you pay for.

Re:Maybe this is just me...

Did they then proceed to the next step? Identifying all the essential non-approved servers, checking them out and approving them?

Re:Maybe this is just me...

[Master+of+Transhuman]

"...is this level of admin common in Windows environments?"

"No. You get what you pay for."

Which I guess actually means yes, right? Since all the Windows trolls constantly complain that no one can afford Linux admins since they "cost so much" which is supposedly why Linux TCO is higher than Windows - if you're dumb enough to believe ANYTHING Microsoft says.

Re:Maybe this is just me...

[ComputerizedYoga]

doubtful.

That would require IT security people being cooperative instead of adversarial...

Re:Maybe this is just me...

You hit the nail on the head. The security depts seem to pride themselves on being a PITA and either do a blanket denial on applications or take months if not years to approve anything, then wonder why so many people set things up behind their backs.

static dhcp ?

[maharg]

the best solution I have seen is where you have to register your equipments MAC address, then you get a "static" (i.e. always the same) ip address served to you via dhcp. No registered MAC address == no ip address. Presumably they had something looking for unregistered MAC addresses too. Pretty good, but doesn't stop you going in with a static address in the right range tho...

Re:static dhcp ?

Actually the best solution is that you have switches with MAC based access control. If you plug something that is not registered into a switch, you get no access and alarms go off.

Re:static dhcp ?

[Jeet81]

I totally agree.
That is one of the best ways. Since your able to clone MAC's easily nowadays I would go ahead with WEP at least on top of that.

Re:static dhcp ?

[CdBee]

Could it eventually be the case that it's more secure to have wifi than ethernet due to the inbuilt security features in wifi?

Registration of MAC addresses sounds pretty secure but couldn't one plug a switch in between 2 authorised devices and packet-sniff until a MAC address was found? (forgive me if this is stupid, I'm a security noob)

Re:static dhcp ?

[steelfood]

Don't forget that MAC addresses can be faked.

MAC address checking would largely prevent outsiders from hooking their computer into your network. But it won't prevent existing users from plugging in, say, a NAT.

Re:static dhcp ?

[attemptedgoalie]

Good point.

Could you then watch for inbound traffic whose destination inside your network is a different subnet such as one in a NAT?

Re:static dhcp ?

[steelfood]

Knowing how NAT's work, this is unlikely. NAT's, or routers as people like to call them, work by mascarading as a normal computer to the external network. They basically assume the IP of the DHCP-registered computer and uses ports to forward the right packets to the right device in the internal network. The catch is that the internal device must initiate the connection, since NAT's wouldn't know which device to forward packets with random or closed ports to.

One way of monitoring for NAT's might be to use packet analysis, and look for some of the more common subnets that are defined for internal use (192.168.x.x being the most common). Certain badly-configured applications will send out the internal IP for the other machine to reply to. But that requires going through every packet, and is generally not feasible.

Re:static dhcp ?

[cortana]

802.1x

Re:static dhcp ?

[Randseed]

Not really. WiFi is always going to be inherently less secure than the equivelent implementation on a physical, wired line because of the nature of radio communications. Anyone within range can intercept it.

As for WiFi's security, it's flawed, and slows down attackers rather than stopping them. WEP can be broken relatively easily, and hiding your SSID doesn't save you either contrary to what some people might think.

The real way to handle WiFi security is to open a VPN with strong encryption to your router, and route everything through that VPN. If you're concerned about unauthorized people syncing to the network, MAC address filter *and* require some kind of cryptographic key exchange with the router prior to opening the communication. The same can apply for wired Ethernet; run a VPN between physically unsecured bits of cable and you bypass that problem.

Yes, security is a pain in the ass.

Re:static dhcp ?

[Pig+Hogger]

the best solution I have seen is where you have to register your equipments MAC address, then you get a "static" (i.e. always the same) ip address served to you via dhcp. No registered MAC address == no ip address.

Better: give unregistered MACS IPs that are on a limited subnet (if not simply not routed at all). This way, when you plug-in, you can check that the network link is up, but the machine cannot do any harm nor access sensitive (firewalled) stuff.

Plus, any unauthorized (or misconfigured) machine on the network will stick-out like a sore thumb as a DHCP lease...

Re:static dhcp ?

"the best solution I have seen is where you have to register your equipments MAC address, then you get a "static" (i.e. always the same) ip address served to you via dhcp. No registered MAC address == no ip address."

With all due respect, this is a great solution if you have a small network with something like 150 or so PC's or devices. But for the rest of us that manage tens of thousands of workstations and printers on VLANN'ed networks spanning multiple states/countries, such a solution is just about impossible.

Especially considering that, at least at my company, replacement of PC's and peripherals is outsourced to a vendor who hires low talent folk for minimum wage, who think a MAC address is something only Apple's use. New devices require updating the DHCP table. This would end up being someone's full time job. And considering our CIO is hiring GARTNER every other week to interview all my staff to see who we can outsource this week, I dont see this happening. We are implementing CISCO IPS, which should help alot in this, but to advocate using static IP's or registered DHCP is just maddness.

Re:static dhcp ?

[EngMedic]

nice idea, and it slows people down. give me 5 minutes, ethereal, and iwconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect.

Re:static dhcp ?

Unless, of course, they were talking about non-IP traffic. I know the article didn't go there, but if I've got physical connectivity IP-based filters and limits don't do much -- heck, you could even encapsulate IP in EtherTalk or IPX without bothering to design your own protocol.

Re:static dhcp ?

[EngMedic]

nice idea, and it slows people down. give me 5 minutes, ethereal, and ifconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect. My university's wireless has no restricitions, but maps client IPs to a heavily restricted subnet (you can pull down the "welcome to our wireless network" information page, and that is /it/). If you want out of that subnet, you have to use a vpn client to get a "real", full-functional IP. There are ways around that, too, but they're somewhat nontrivial. (this may have been a double-submit, sorry)

Re:static dhcp ?

[kd5ujz]

Simple. Register you NIC with the NOC, after they autorize this MAC, clone that mac to some cheap router (linksys/netgear) and then have your equipment behind the router. Hide it under the desk, and they will be none the wiser. You may need to get a new NIC ( as to avoid a conflict with the router).

Re:static dhcp ?

[hackwrench]

Yeah the Nord Center http://www.nordcenter.org/ didn't have that so I plugged my equipment in and got yelled at for hacking. Later on they turned the incident into "hacking into government computers". The head of that place told me that his network person knew more than I did. That place is one big twilight zone that has no clue what it is doing, and hurts people more than helps. In fact Lorain, OH is just one big crooked cesspool.

Re:static dhcp ?

> Could it eventually be the case that it's more secure to have wifi than ethernet due to the inbuilt security features in wifi?

> (forgive me if this is stupid, I'm a security noob)

you're forgiven.

on a less blunt note, wireless is inherently less secure than wired. full stop. end of story.

Re:static dhcp ?

[TCM]

Actually, switches with 802.1x port based access control would be even better. MAC addresses can be faked.

Re:static dhcp ?

Have confidence in your choice.

Re:static dhcp ?

[GlassUser]

Yeah the Nord Center http://www.nordcenter.org/

Wow, their web site is a piece of junk too. Local government/municipality? Someone needs to beat them with a cluestick.

Re:static dhcp ?

[cbr2702]

You may need to get a new NIC ( as to avoid a conflict with the router).

Why not just give the NIC a new MAC? The router's not using its old one anymore.

Re:static dhcp ?

[jrockway]

What would stop a router (say a Linux box) from authenticating with 802.1x and then serving that connection to a bunch of other machines, including sniffing all the traffic and sending it, via a secure tunnel, to competitor.com?

Try again :)

Actually, 802.1x is a pretty good idea. We use it at school to control access to the wireless network. That way when some wireless dude starts spreading viruses we can suspend all of his accounts and force him to clean his f-ing machine. (It's drastic in my mind, but apparently "ODYSSEY"*, the server program, ties in at the lowest level of LDAP and suspending the LDAP account suspends the e-mail/shell accounts too. AD then auths to LDAP, so it kills AD too. Fixing all that would involve work from a state employee, which is the only type of person that does less work than Peter Gibbons.)

* Never ever buy this product. It uses an "open standard" that only they support. Open, riiiiight. They also promised that if we bought the server that they would give us a mac and palm os client. Several years later...they don't exist. Windows only. AND, The windows client is a HORRIBLE HORRIBLE HORRIBLE non-working piece of fucking shit. It's literally 90% of the walk-in support requests we have. And it often takes an hour just to configure the thing properly. (The Cisco APs that we use are pretty flaky, too.)

Fortunately Apple stepped up and includes support for Odyssey's shitty protocol (TTLS) in Panther and Tiger. But that doesn't negate the fact that the Odyssey people blatantly lied to us.

Re:static dhcp ?

[Master+of+Transhuman]

"But that doesn't negate the fact that the Odyssey people blatantly lied to us."

And of course, as Marcus Ranum's article "Stupid About Software" rants, the school immediately sued them for breach of contract?

Right.

Just like City College of San Francisco required Innovative Interfaces Inc. to supply the library with an integrated library system (cost: $100K) that would retrieve student data from the SCT Banner system to determine who was registered before providing library services. The library head supposedly put it in the contract - I explicitly asked about that since I knew the company, being a typical software company, would renege if the college didn't.

Sure enough, they reneged. Now our overworked DBA is writing code to suck data out of Banner and pass it to the library, and the library people are pissed off. And the two people who put the library barcode data in Banner to begin with - me and my boss - are cut out of the loop.

Ranum is right. It's completely irrelevant that some company "stands behind" software as opposed to OSS, because no company will sue a software company to recover costs incurred when the software turns out to be shit. All a software company has to do is delay until the client is committed to implementing the software. Then the costs of backing away from the project are more than the likelihood of winning a lawsuit. Works every time and every software company knows the drill.

Where I come from this is called "fraud". Apparently everywhere else it's called "business."

Re:static dhcp ?

[Fulcrum+of+Evil]

nice idea, and it slows people down. give me 5 minutes, ethereal, and ifconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect

Combine it with reactive measures like turning off the switch port attached to abusive hosts and it's pretty damn good.

Re:static dhcp ?

[HornWumpus]

wireless is inherently less secure than wired. when you secure your physical location. Working Ethernet ports in conference rooms are at least as big a security threat as wireless.

That's why I took a hint from the BOFH and wired condensor microphones across the CAT5 (behind the access plates) in all my employers conference rooms. It is to prevent unauthorized network access, yeah that's it. And they wonder why I'm spending so much time in the wiring closet when they have executive meetings (you'd be surprised how boring those are).

Re:static dhcp ?

[mcowger]

Sure it does, if you design the system around the VLAN capability of your switches. I worked once at small University that had done just that, where their network registration system would move your MAC address around in VLANs upon registration.

Only way around it was to spoof your MAC with a known good one that you knew was offline, because as soon as it cmae online, you would be booted off due to the conflict.

Re:static dhcp ?

[kd5ujz]

yeah, I guess with the cheaper nics you could. I have seen some more expensive 3com nics that would not let you( well, you could jumper a few solder pads), and some that you could change the mac with dip switches.

Re:static dhcp ?

[TrueKonrads]

I'm sure everybody knows this, but why don't you use 802.11x authentication configured per port? As long as some physical security is enforced (no-one unplugs the 802.11x incapable printer and puts his laptop - should be fine. Although, I can already imagine failure scenarios, such as putting a bridge between the device and the rj jack. But then again, if you treat your own LAN as a Korean DMZ or Soviet Moscow ran by KGB, your paranoia level will be worth mentioning in medical journals.

Re:static dhcp ?

Just do what we did, and put all the conference room ethernet drops on a dedicated network that has access to the Internet and nothing else. We have a simple allow out, deny in rule in place, and it works fine. You'd be amazed at all the shit that is running on various laptops that get plugged in. Everything from pr0n to some very interesting agobot varients.

Interesting points but possibly too specific

[Sv-Manowar]

This article raises the issue of internal network security, which is something that's been increasing in profile as a security risk over the past few years as ethernet/wifi enabled devices get smaller, cheaper and easier to hide. However, this article's specific Cisco approach to dealing with things by tracking them back through routers and cisco-specific tools seems to be of less use than more general scanning and identification measures.

It's safe to say a good proportion of administrators already on networks with devices migrating on and off at will already have a consideration for these problems, and the specific approach detailed in the article may not be of best use to those less experienced admins starting to tackle this issue on their networks.

DHCP fun

[flinxmeister]

if you don't run DHCP, a fun project is to throw a DHCP server out there and see who gets configured.

It's amazing all the little devices that show up. Switches, old print servers, workstations tucked away in a corner somewhere that time forgot....now that many of these networks are starting to push 10 years, it's like archeology.

Every now and then you find something that you just can't physically find. Lotsa fun.

Re:DHCP fun

[bersl2]

Every now and then you find something that you just can't physically find. Lotsa fun.

Obligatory bash.org quote:

<erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

Re:DHCP fun

[Shadow_139]

This happened in Trinity College a few years ago, there were a few old AS400 Servers the Admins had forgotten about till one crashed and kill 3 of the main backend Databases with were running on them.

After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall that had been put in...?!!??!

Re:DHCP fun

After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall that had been put in...?!!??!

Strangely enough, the exact same thing happened at UNC-CH, except it was a Netware 3.12 server. And it happened at MIT, except it was an RS/6000, and at CWRU it was a SCO Unix box, and at Stanford it was a VAX cluster, blah, blah, blah...

can you say "Urban Legend?"

Re:DHCP fun

[autocracy]

Or... "not unsurprising?"

Age old machines that just run and are scattered around without sense can certainly fall to that. What about Sun and losing a major chip fab machine? Turned out some recently departed developer's desktop ran something that was critical to operations, but was formatted after he left. I'm off on the details as to what purpose it fulfilled, but its disappearance was noted at the executive (CIO) level because of its disturbance to the company's operations. Whoopsie?

Re:DHCP fun

[rbarreira]

can you say "Urban Legend?"

Yes (there are better references on this but I couldn't locate them...)

Re:DHCP fun

"Urban Legend" If only this were true !!!

Re:DHCP fun

[TheGavster]

See, if they were running Windows 98 they would never have lost the servers - they'd've had to walk over to reboot them every 47 days. That they would have gone insane trying to keep the database up is just the kind of side effect you hear at 100wpm at the end of a Pfizer commercial ;)

Re:DHCP fun

[WhiteWolf666]

Not an urban legend, happened at UNC:
http://www.theregister.co.uk/2001/04/12/missing_no vell_server_discovered_after/

Re:DHCP fun

[CanadianBoy]

Don't laugh!

At work we have a phone number that connects to a modem. It's in the building, we just don't know where (though we've come to suspect it's sealed between the second and third floors) or what it's for. Our boss wants to stop paying for it, but doesn't want to disconect it until we know what it is.

Re:DHCP fun

[einhverfr]

I remember reading of a Novell server that accidently got walled in during a remodel.

Re:DHCP fun

[suitepotato]

At one insurance company I worked for, it was no urban legend. Some remodelling was done and the access to a basement room where some test servers were set up was blocked by renovation materials and the renovation completed but the excess materials left stacked. Several years later of employees walking past the stacked supplies every day, a network check got some people curious and after nowhere else could be found with anything unaccounted for, a building map showed a room where most had forgotten there was a door...

Re:DHCP fun

[fbartho]

http://www.google.com/search?q=server%2054

Re:DHCP fun

[JasonBee]

Maybe it was lost like this:

http://hornyferret.com/component/option,com_movi es /Itemid,4/task,watch/id,88/>

That's why I stick to chairs ;)

Re:DHCP fun

[bersl2]

That site's ferret mascot looks almost exactly like the BSA ferret. Whoa.

Perhaps a subnet just for non-assigned?

[attemptedgoalie]

Each box that is supposed to be on the network has its MAC set to a fixed address.

Then a special range is set up that isn't able to access crap that is assigned to all new devices that aren't in the dhcpd.conf.

Any problems with that?

Re:Perhaps a subnet just for non-assigned?

[Dachannien]

Better yet, make the unregistered machine subnet able to access important security-related sites, like Windows Update and the corporate intranet site with antivirus and antispyware software downloads.

(This is actually done relatively frequently, so I'm definitely not saying anything original here.)

Re:Perhaps a subnet just for non-assigned?

[attemptedgoalie]

I like that.

Redirect ALL web requests to a page that says you're an unregistered unit, contact IT, etc...

Re:Perhaps a subnet just for non-assigned?

[AlistairGroves]

We do this on our home (5 guys at uni) network - whenever someone comes along and plugs something in they can access http through our proxy bu that's it. It's not hard to get around though, but for our use it does the job

I find it hard to believe

[techno-vampire]

Are there really companies out there that still don't have a policy about not hooking up private equipment to the LAN without permission? Are there even any that let you run your own server on their LAN without aking? I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment and has a right to say how it gets used, and what traffic is premitted. Anybody adding private equipment or running an unauthorized server has to know they're violating company policy, and can expect to be fired when it's discovered. The best way to keep it from happening a second time is to make sure everybody knows just why the fsckwit got canned.

Re:I find it hard to believe

freak man, you must be one of those people that will kick someone out of their house and never speak to them if they don't use a coaster too eh?

it's pretty easy to run a secure network when you don't fucking allow people to actually *use* the network isn't it?

how about earning your money and facilitating instead of hiding in your little fort hatching new schemes to reduce your responsibilities?

it's like a hospital administrator who figures out he can cut costs by not taking any patients, don't forget why you're there and who you're really working for lol

Re:I find it hard to believe

[pete6677]

The problem with tough security policies is when politics comes into play. No company will fire their top sales guy or their best programmer for a network security violation, unless it caused catastrophic damage. When someone is discovered to be running an unauthorized server or access point, especially if they didn't necessarily know it was running, the most that can really happen is for IT to remove it and warn the person not to do it again. A well-protected network should include monitoring for this sort of thing so unauthorized devices can be quickly detected and removed before the damage is done.

Re:I find it hard to believe

[QuestorTapes]

> Are there really companies out there that still don't have a policy about not hooking up private
> equipment to the LAN without permission?

Yep; lots of them.

> Are there even any that let you run your own server on their LAN without aking?

Yep ;>

> I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment
> and has a right to say how it gets used, and what traffic is premitted.

True. But where most people look at you funny if you walk into their house without knocking, there are many who look at you funny if you knock, and ask, "What the hell are you waiting for? Come in already."

A lot of firms are the same.

> Anybody adding private equipment or running an unauthorized server has to know they're violating
> company policy, and can expect to be fired when it's discovered.

Except when the company has no policy, or has lots of policies no one pays attention to, because everyone breaks them. Often because if you follow them, you can never get your work done.

> The best way to keep it from happening a second time is to make sure everybody knows just why the fsckwit got canned.

Unless, of course the fsckwit is the CEO, President, VP of this, Director of that. ;>

Seriously; I don't hook up equipment without permission, even if it isn't 'policy', But it's a -lot- more common than you seem to think.

Contracting at various firms, I see it all the time.

Re:I find it hard to believe

[techno-vampire]

it's pretty easy to run a secure network when you don't fucking allow people to actually *use* the network isn't it?

I don't know; I've never tried. There are a lot of ways to use a network without putting up an unauthorized server, or bringing your private laptop in and hooking it up. If you really need to do either of those, ask for permission. If there's a good reason, you should be able to get it, provided you take proper precautions. But nobody should be allowed to hook things up without telling anybody about it. That's just common sense.

Re:I find it hard to believe

[techno-vampire]

When someone is discovered to be running an unauthorized server or access point, especially if they didn't necessarily know it was running, the most that can really happen is for IT to remove it and warn the person not to do it again.

Now that's a good point. My post was made assuming that whoever had the unauthorized stuff on the LAN knew about it. Yes, if it's a matter of carelessness or a piece of misconfigured software, that shouldn't be a firing offense, and I doubt it would be. But knowingly setting something like that up, espcially if there's a policy forbidding it should have you out the door so fast your head spins.

Re:I find it hard to believe

[WhiteWolf666]

You also see this in growing companies.

At what point do you need a sane LAN policy?

Yes, I know its a good idea from the beginning, but it doesn't always work like that.

Many small through mid-sized businesses *still* only use a couple of out-dated Win95 machines for secretaries, and rely upon paperwork for everything else!

I was shocked when a couple of friends and I started wondering around the *largest* industrial park in the midwest (located outside chicago), offering our services fixing systems (this is *way* before geek-squad and things like that. Like 6 years ago). Roughly 1/3 of the companies we walked into did *not* use computers at all, even for secretaries. Another 1/3 had a DSL connection (or even dial-up) and 1-4 computers, store bought, plugged in, and run.

Now, I'd expect that large companies should fix this sort of problem. But I know someone at a large manufacturing company (international scope, 60-70 people *per* office, hundreds of millions in sales) and when this individual needed an FTP server the IT staff installed some FTP software on her her Windows 2000 desktop told this individual to tell contacts to login at such and such an IP address.

At this company? Plug-in random computers to network? Check. Bring laptops in and out of network? Check.

Recently (3-4 months ago) the IT staffed issued an e-mail understanding that spyware and viruses were becoming a problem in the computing world, and that they were investigating purchasing some sort of antivirus and spyware software to solve these problems.

Not even every *large* company is at the top of their game, IT-wise, and these aren't failing Korean megaliths; these are succesful, highly profitable corporations.

I would find it hard to believe that a majority of small companies *did* have their IT policies locked down.

Re:I find it hard to believe

[WhiteWolf666]

That's the problem.

Many IT admins will say you cannot use Firefox on their Network, or a non-Windows 2000 box (even XP, or Mac, or Linux), because they aren't secure.

When you have IT admins living in the darkages breaking the rules sometimes can be the difference between getting the job done and failing miserably.

Also, when the people violating the rules out-rank the people running the IT department breaking the rules mainly just gets you nasty looks rather than canned.

If its nasty looks versus getting the job done (or making your life *significantly* easier), than I choose nasty looks.

I worked at a market research firm, and one of the jobs they did was take responses entered out on an old unix system, coallated into a CSV file, and enter them into an old file maker database.

This was done by printing out the CSV files, and typing the responses, one by one, into filemaker. Very, very time consuming.

I did it by using some simple scripts to parse it and dump it into a format that we could import into file maker. Days or work translated into minutes.

Did my supervisor like this? (I was grunt level, college job). No; she thought it was black magic. Did her boss like it? Yeah, we finally got it done on time.

Did the supervisor have enough clout to make me stop? Nope; the manual entry had been one of her jobs, and she was more than happy to not have to do it anymore. But till the last day I worked there she never believed that the 'scripts' could possibly be doing the right thing, and was suspicious of any method that was not manual entry.

Just saying there are two sides to every position, mind you. It's usually not a good policy to violate company IT policy, especially in companies that have a competent IT staff.

Re:I find it hard to believe

[einhverfr]

At the last large company I worked at, I was allowed to bring in my personal laptop and plug it into the network. They were also pretty permissive about running IIS, Apache, you name it, on our workstations. However, it was pretty funny to watch everyone get Code Red.....

Re:I find it hard to believe

[techno-vampire]

They were also pretty permissive about running IIS, Apache, you name it, on our workstations. However, it was pretty funny to watch everyone get Code Red.....

Why do I get the impression there's a cause/effect relationship here?

Re:I find it hard to believe

[einhverfr]

Now that's a good point. My post was made assuming that whoever had the unauthorized stuff on the LAN knew about it. Yes, if it's a matter of carelessness or a piece of misconfigured software, that shouldn't be a firing offense, and I doubt it would be. But knowingly setting something like that up, espcially if there's a policy forbidding it should have you out the door so fast your head spins.

I am not 100% sure that this will always be a winning strategy. I have generally taken the position that one should treat everyone equally. This means that you treat the lowest grunt as if his job was indespensible.

This means that on a violation, you terminate his access until it is cleared and document it with the appropriate departments (presumably HR). You do this all the time. That way if something eventually has to happen, you have good backing.

Besides, it means a "least force, most headache" approach. They are unlikely to fire *me* because I enforced the policy using as little force as possible, yet it makes it significantly harder on those who are repeat violators. And if it is that important, they can always push to change the policy....

Besides, it is generally not my decision to fire someone over that. I can leave that to HR/management.

Re:I find it hard to believe

[Fulcrum+of+Evil]

Not even every *large* company is at the top of their game, IT-wise, and these aren't failing Korean megaliths; these are succesful, highly profitable corporations.

What this says to me is that a well executed IT plan, while useful, is not critical to line of business apps in most companies. That is, until some worm trashes the network. Translation: a minimally competent IT staff doing enough to fend off disaster is all these companies often need. Anything more is likely viewed as a waste and is primarily for the IT staff's benefit.

Re:I find it hard to believe

[jonwil]

Its not "You cant use Firefox", its more likely "You cant use anything we havent approved" because of the risks that might entail.

Re:I find it hard to believe

[eztiger]

We get this alot..and specifically with firefox.

After the main stream press pounced on firefox a while back and extoled its virtues we had lots of calls and emails from people asking for / demanding firefox on their machines.

Now we're (relatively) in the new ages wrt browsers, and we put the mozilla suite on every machine as standard for people to use for browsing and as their primary email client. But its heavily reconfigured to lock certain preferences and store profiles / other data in certain places on the network that won't mess with peoples quota.

So we explain to people that we already use a 'derivative' of firefox in mozilla (not entirely accurate but close enough without babbling) and that installing firefox would lose their email client...so we'd have to do thunderbird too. Which means mainting two apps instead of one, not to mention the memory footprint / integration between firefox and thunderbird is larger / no quite as good as the mozilla suite. Oh...and we have it all set up and using the default firefox configs will break things for their user account and anyone else who uses the PC after them.

I think that's pretty reasonable? but we still get people who argue with us or insist we're wrong (ok we don't know everything but we're the IT department for gods sake, it's our job to tell *you* whats best to use or at least entire a reasoned dialogue about it..and I think we're doing ok with pushing mozilla) and then install it themselves (don't ask..another pet quibble). Then come running to us when their user profile breaks / goes over quota / lose bookmarks / settings etc. Then the next person to use the machine gets the firefox stuff copied into their profile which puts them over quota etc etc etc.

Bit of a tangent rant, but I agree with you totally. We don't deny / ask people inform us about programs they want to install because we're miserable bastards who want to make their work hard...it's because theres so much more happening than there is on their home pc / network that oft times what they would do at home won't play here.

It's tough in this day and age of 'everyone is a sys admin' to get people to see this and is one of the main frustrations of my job.

Kev

Re:I find it hard to believe

[jonwil]

There is a big difference between "You cant use Firefox, use Mozilla instead" and "You cant use Firefox, use Intercrap Exploder instead" :)

Re:I find it hard to believe

How is Chicago midwest? It's east of the fucking missississipi. Chicago is practically sitting in the Atlantic, and you call it "midwest". wtf?

Re:I find it hard to believe

[MintyGreen]

I've always taken "midwest" to roughly mean "middle of the western world;" it is roughly the center of the (north)western hemisphere.

Merriam Webster suggests that it can be applied to "Ohio & sometimes Kentucky" toward the east. That would certainly include Illinois.

Incidentally, it looks like Chicago is about 700 miles from the nearest Atlantic coastline, and not quite 150 miles east of the Mississippi. Reeeaaal East Coast, yo.

Tight Network

[tburt11]

I maintain a relatively small network of about 50 workstations and about two dozen other devices.

I distribute IP's thru DHCP, and I maintain an ACL via IPTABLES on my Linux router. DHCP distributes IP's based on MAC accress, and I do allow unknown MAC's to get an IP.

The trick is, that any IP that I did not setup in DHCP, is blocked via the ACL to all Internet Access.

Invariably, I get some VP/EXEC/VIP, call me and ask why his visiting sales rep cannot access his email. I walk into the office and the fellow has jacked into my network.

My reply is Sorry.. You can use our WLAN for internet access. No jacking into the network.

The WLAN is connected outside the firewall, so whatever they do there is of no concern to me.

Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...

Re:Tight Network

[Krunch]

Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...

How can you be so sure about that ?

Re:Tight Network

[einhverfr]

Right. Not like I can set the MAC address on a WIFI router or anything...

In this case, just like in others, you are relying largely on security through obscurity to provide for your network needs.

I think that everyone should attempt to conduct an annual security audit of their network, including checking out wireless signals, portscans of all machines on the network, etc. and a detailed review of security plans to make sure that it is still optimal.

Wouldn't Static IP's limit the problem?

[realcoolguy425]

If static IP's were used wouldn't it make 99% of the problem go away? the remaining 1% being the guy who dutifully copies his IP on his workstation so he can plug something else into the network using his workstation IP. Like Xboxes or internet enabled coffee makers.

Re:Wouldn't Static IP's limit the problem?

[Not_Wiggins]

If static IP's were used wouldn't it make 99% of the problem go away

Short answer: no.

Just having static IP addresses isn't enough. Actually, even the pseudo-static DHCP (via MAC address) is "good enough" but also vulnerable to exploit by manually setting the MAC address of the alien network interface to one that is allowed to get an IP (there's more complexity to doing that, but suffice it to say it can be done).

To answer your question: if your network relies solely on the IP address on some guys workstation to identify it as "his," then you've opened yourself up to more problems than him hooking up his xbox or internet enabled coffee maker.
What do you do when he brings his virus-laden laptop into the office BEHIND your firewalls and plugs it in?

These problems won't be solved either until you have hardware authenticated connectivity (no reassignable MAC possible in the hardware) or everything is locked down via a different auth mechanism... like utilizing a VPN.

Slashdot hits a new low in grammar

"Whats" on my network? I may have a What or two on my network, yes ...

heh

[Renraku]

I think I've heard it called 'treasure hunting' before. Especially at places with huge IT departments in the building that just can't seem to find somethings that are taking a few IPs. Usually it ends up being a laptop in someone's bag hitting the internet, or a WAP in an abandoned office is serving warez to someone in the building next door.

A Simple Security Precaution

[Ed+Almos]

Unplug unused network points.

Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result.

If you want to take this further then use managed switches and assign each port in use to a specific MAC address. That way if a 'visitor' pulls the plug on one of your computers and plugs their machine there will still be a nil result.

Ed Almos
Budapest, Hungary

Re:A Simple Security Precaution

MAC address spoofing...

Re:A Simple Security Precaution

How the hell does this offer any security? Just look at the MAC address of the computer that is connected (any number of ways to do it) and then just change your NIC to use the same MAC.

Re:A Simple Security Precaution

Just look at the MAC address of the computer that is connected (any number of ways to do it) and then just change your NIC to use the same MAC.

If the intruder has that much physical access, wouldn't it be easier in most cases for them to just use the computer instead of spoofing it?

Re:A Simple Security Precaution

If the intruder has that much physical access, wouldn't it be easier in most cases for them to just use the computer instead of spoofing it?

Many computers have these things called "passwords" that prevent unauthorized activity.

Maybe you should look into this new security technology.

Re:A Simple Security Precaution

"Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result."

So replace someone's network connection with a hub, their network connection, and an evil device. How does unplugging network sockets help, apart from making it inconvenient every time someone needs to test a network-connected device?

ridiculous article, company LAN = filtered

[Gothmolly]

Um, duh, what company network doesn't have egress filtering (bye bye IM, Quake, SSH) and content filtering (bye bye porn, TheOnion, etc) ?
Answer: the same dumbasses who have 'mysterious' network problemss. If you don't really control your network, well, then... you don't really control your network.

Mod the article: -1, Fucking Obvious

Re:ridiculous article, company LAN = filtered

[Creepy+Crawler]

Ive never found a filter that I couldnt subvert.

To take care of TCP blocking, just make a home webserver, and encapsulate everything in bla bla bla . This simple tactic gets past dumb content filters that look for webpages only. Better if you encrypt "bla bla bla" in some non-cpu intensive computation.. Perhaps XOR with a shared key.

To get around UDP blocking, well.... if the company doesnt have a domain server set up, usually 53 is allowed in/out. Just change ports appropiately to that one. If they DO have a domain server, try to take its IP and MAC and spoof it so you can take advantage of the (most likely hole) 53/udp hole allowed by that machine.

The last trick I use is to throw fragged packets at it. Most devices dont know what to do if you heavily fragged or large packets at it. Simpleton routers (like cisco schmuck) have no clue when you run 2 sets of FRAGROUTER through ip tunnels and then hit the outside of your computers. There was even one such device (not cisco, mind you) that would literally start smoking if you send "weird packets" at it. I noted this problem on alt.binaries.hacking when I got one of those devices for "testing".

Re:ridiculous article, company LAN = filtered

[dotgain]

I used to filter IM and games etc, basically anything that wasn't already accepted as bona-fide traffic. Put all that in when I took over admin of a network about 18 months ago.

It pretty much immediately upset some old dude with, of course, sick relatives overseas, and he managed to get management to bully me into opening ports for him.

The whole process took about a week, that's how long I didn't back down for. In spite of opening, and going to great lengths to find out how to sometimes, dropped packets from his machine still spewed into the logs, local smurfs, all sorts of shit. God knows what ran on his machine.

Re:ridiculous article, company LAN = filtered

"Um, duh, what company network doesn't have egress filtering (bye bye IM, Quake, SSH) and content filtering (bye bye porn, TheOnion, etc) ?"

One with happy employees who enjoy themselves and won't jump ship at the first hint of a 1% payrise?

firewall auth

[eneville]

tail -f /var/lib/dhcp/dhcpd.leases

There are nice things that can be done such as auth tables on the firewall to make sure the clients run something like sshauth before they can access the intarweb [openbsd firewall that is, i don't know any alternatives].

a quality of service (QOS) device can fix this

[SnefruDahshur]

Check out Packeteer or some other QOS company. Those devices can show you what is going over your network and block or limit the unwanted traffic while protecting the business oriented applications. You can also find out who is playing games and surfing all day

Re:a quality of service (QOS) device can fix this

[einhverfr]

I can imagine all sorts of fun one could have with QOS on a network.

For example, limit bandwith for Quake to 500bps or less. Just enough that they can seem to start but can't effectively play the game. Combined with something like IPTables, one could even do something like drop packets for Quake above a certain size, making gameplay both impossible and annoying.

Of course I don't see how this helps people be productive at work. Just plain old IPTables can do all this, log details, and provide good monitoring capabilities. You can even install other IP traffic monitoring programs if you need realtime stats.

I had to start locking my house doors

Apparently, kids drive around with laptops looking for open network closets. These fuckers plugged in a cat5e into my switch and started leeching bandwidth for all their friends. I've recommended that my neighbors start locking their doors and change keys often just in case. Also, if you notice any unexplained cat5 going out doors into the back yard, you should investigate.

Re:I had to start locking my house doors

[ettlz]

These fuckers plugged in a cat5e into my switch and started leeching bandwidth for all their friends.

Well how did these "fuckers" get in in the first place?

Through the CAT-5e flap?

Re:I had to start locking my house doors

[lxs]

investigate? just hook up one of these to the unauthorised cable (with a FF RJ45 adapter of course) and your network problems are solved.

Wireless is worser!

If I have a completely wired network, the article describes exactly how to find the culprit. In a college context, I can find the bad guys without leaving my office. I can tell exactly where the offending connection is being made. With the security video, I can even watch the act as it occurs.

Given wireless access, on the other hand, your problems are much greater. Even if I know which wireless access point is being accessed, I can't tell which laptop is doing what. It could be someone in a washroom somewhere. Naturally, I'm not delighted with the idea of providing wireless access to the students.

Re:Wireless is worser!

Naturally, I'm not delighted with the idea of providing wireless access to the students.

My school has a very decent solution to this problem.

Kerberos auth -> MAC address check -> IP issued

You have to register your wireless NIC's MAC address and that makes it tied to your "computing account" (which is protected by Kerberos). If you're accused of doing something naughty on the network, the network admin can say, "Here's where you logged in with your Kerberos ID to get your IP address, here's where our machine checked to see if the MAC address of the wireless device you were using was registered to you."

Re:Wireless is worser!

I can't tell which laptop is doing what. It could be someone in a washroom somewhere.

Surfing porn on a laptop from the washroom? That's like, hey you got your chocolate in my peanut butter...hey you got your peanut butter in my chocolate!

Thank you, Dr. Obvious

[gkuz]

Welcome to Slashdot. News for Nerds, Network Security for simpletons.

People who don't know these things should not be running networks.

Re:Thank you, Dr. Obvious

[(H)elix1]

People who don't know these things should not be running networks.

Beyond setting up for a lan party, that was all the networking savvy I wanted as a developer. Problem is they went off and right-sized the IT folks who would handle that sort of thing. I just got done setting up a Solaris box - and other than running patchadd and googling through the network config - I have no clue what else is running with a 'normal' Solaris 8 install. Not even sure how to check what ports are listening. All that has very little to do with the code I will write and run on the box. Admining a box to run WebLogic was the last thing I wanted to do.

That said, the article seemed like a bit of a fluff piece. When things settle down, I've got to sort out what is actually running on the box. Hoped this might give some n00b pointers, but not so much.

Re:Thank you, Dr. Obvious

I'm here to point out that you are a cunt.

That said, have a nice day.

Re:Thank you, Dr. Obvious

[mcflaherty]

That said, the article seemed like a bit of a fluff piece.

And a bit of an advertisement for Cisco, it seemed.

Do some mapping before it is too late

[pe1chl]

For many years, I have been running some simple scripts on a machine on the network that regularly reads out switch MAC tables using snmp. I also read router ARP tables this way.
The result can be read from a webserver. IP address, MAC address, swichport and hostname are all conveniently grouped on a line.
Knowing which switchport it is on, looking in the patch cabinet, I know on which wallsocket a suspicious device is, and a chart on the wall shows me in which room it is.

Of course the routers have access lists so invalid network addresses aren't routed, and the DHCP server checks if a hostname conforms to the company convention before assigning an address,
Plugging in your home laptop yields you an alarm, not an address.

Re:Do some mapping before it is too late

[Asgard]

How do you validate the hostname?

Re:Do some mapping before it is too late

[pe1chl]

By including an "allow member of ..." in the pool definition, and setting up some classes using "match if substring(option host-name,...)=...".
(unfortunately the match syntax does not allow regular expressions, but it does have 'and' and 'or' so we just add up a lot of checks)

This is done using ISC DHCPD.

Welcome to Slashdot. Home of the insensitive clod.

[Buran]

Not everyone here works in the IT field, yaknow... maybe once upon a time that was more likely that most of the readers would know this stuff, but today, there's a lot more people reading slashdot who come from far more varied backgrounds. I'm not a network admin (I do other sorts of IT work as part of my job, but not as all of my job) and I found the article to be of interest.

Before anyone implements this...

[bigtallmofo]

Pretty good, but doesn't stop you going in with a static address in the right range tho...

How is this "pretty good" then? It would take someone with access to a network port 2 seconds to find out your subnet information and would take them another 2 seconds to skip DHCP completely and put an address in manually. Even worse, they could add your entire subnet to the list of IP addresses on the system and cause IP address collisions with every host on your network.

Before anyone implements this suggestion thinking it's going to add much to your security, realize it's a big pain in the ass for not a lot of benefit.

How to respond to threats behind the firewall

[realcoolguy425]

What do you do when he brings his virus-laden laptop into the office BEHIND your firewalls and plugs it in?
Utilize the network admin's 22 calibour pistol...

Re:How to respond to threats behind the firewall

Only a 22? You're being generous... ;)

Re:How to respond to threats behind the firewall

Yeah. 10mm is more like it. Though if it must be a .22 cal bullet, the 5.7x28mm should suffice :-)

This article is brought to you by Cisco(TM)...

[presarioD]

how wonderfully clandestine public PR industry operatations are nowdays:


For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tech _protocol_home.html

Hmmmmmmmm... and the ./ editors will be the first ones to bite.

Re:This article is brought to you by Cisco(TM)...

[presarioD]

two spelling mistakes in one simple post. Ts ts ts ts ts ts ts ts!

Here *kneeling down and extending the neck*. I surrender to the grammar nazis. Please be swift and painless...

Re:This article is brought to you by Cisco(TM)...

I can assure you that the author is not a Cisco rep. He is, in fact, a CCNA, and is employed in the networking field, using some technologies you haven't even heard of.

Lay off with the negative comments.

Re:This article is brought to you by Cisco(TM)...

[presarioD]

You don't have to be a Cisco rep to be part of the Cisco PR effort :-)

Since when exposing a PR stunt is considered negative comment?

Why did you post a reponse anonymously?

Big hug and kisses! :-)

Re:Welcome to Slashdot. Home of the insensitive cl

[bjelkeman]

You see, it is like a network security guild. If you don't know everything about network security then you shouldn't be allowed to learn anything more about network security.

Clearly this is a very effective way to improve the security on the networks around the world... ah, pardon the pun, I mean the Job Security for our dear paid up members of the Network Security Guild.

Sometimes, DHCP sucks

[lightyear4]

'Whats On Your Network?' is a good question that should have been asked of the resnet techs at my university. Getting on the school network is automated for all computers with a browser, but other hardware-based network equipment must have its MAC registered manually. Needless to say, resnet doesnt actually enjoy it. One time, some moron plugged the ethernet cable from the wall into a LAN jack rather than the WAN. Kids' computers were sending DHCP requests out, receiving two responses, and dragging the entire network down. The complaint calls rained down upon tech support, and network techs had to go through dorm after dorm, checking every single room. And you thought DHCP made everything easier.

Porn Sites hurt Feelings.

[ebooher]

Could someone please tell me why employees browsing porn sites is such a big fucking deal? How is it different than employees browsing /.?

IT security people at corporations are becoming porno hunters. Be proud, guys.

You apparently do not live in the U.S. You see, here we have these things called laws that are written and voted upon by hairless monkeys that are given offices by people that can't be bothered to read and vote on these "laws" themselves.

Some of these "laws" revolve around personal opinion and human emotions known as "feelings." They state that if you do something that hurts someone elses "feelings" you will go to jail and have to give them a lot of money.

This has caused a rash outbreak of people "sniping" or hiding out in bushes that sometimes decorate offices and awaiting an unsuspecting employee to briefly brush past a site holding pornographic material. Google.com is a good example. In this instant they leap from the previously hidden sniping bush and proclaim that the barest hint of an unclothed nipple has hurt their "feelings"

This results in a winning lawsuit in which the unknowing employee receives a new boyfriend at the same time that he is given to the sniper as a money slave for the rest of his life. Sometimes it even results in the closing of an entire company and results in a rise in unemployment which these people called "taxpayers" really have something against.

A couple of years ago something that looked almost like a nipple, but clearly wasn't, caused a major change in the entire U.S. broadcasting industry because of all the people whose "feelings" the wardrobe malfunction had caused to be hurt.

This has caused companies to be very careful about keeping anything that could possible hurt "feelings" out of their offices and off of their computers. Where I work, we usually just leave the computers turned off ....

Re:Porn Sites hurt Feelings.

Yet showing endless amounts of violence, real and fake, is not an issue to these people... America has some really screwed up morals, but that's what happens when the country is controled by christian extreamists and of course the all mighty dollar.

Re:Porn Sites hurt Feelings.

[Suddenly_Dead]

It's mostly that they're abusing the concerns that the Christian extremists (yet another vocal minority) raise in order to make money. Most such people probably don't really give a crap about the content, but they'll put on a heck of a show for the courts.

As for how violence seems to mean far less to people than sex in movies, TV, etc.: if one got uppity about violence, the newscasts would have to start cutting down on a lot of content, wars and crap that seems to be happening all the time would have to be hushed and support would be reduced, etc. Anyone who does oppose violence and such, therefore, gets far less media coverage because their view point is not wanted by the media folks.

Blahblahblah

Re:Porn Sites hurt Feelings.

[zalt]

I work at a rather large company and we had an incident with an employee a while ago who used his company laptop for illegal activities, and then i don't mean that he used the wonderful multitasking possibilities of his OS to download GTA San Andreas in the background while making some Powerpoint presentations or whatever he did to earn his wages. It was actually quite disgusting, but i won't go into details there.

He got detected from the outside, people from the outside could tell it was a company box causing this traffic, but not which one. After several (and apparently quite heavy) discussions about the employee's personal integrity they moved the filter behind our firewall to detect which computer it was and ta-daaa, they could identify him and the cops took him.

The point here was the speech our boss gave us after this whole ordeal. He made sure that we all knew that the company wasn't scanning our e-mail, they're not checking which sites we surf to, they're not getting alarms ringing when someone uses SSH. If someone surfs porn, that's bad and could cause consequences (but you probably don't get fired), but the only time they're actually checking what you're doing with your box is when someone calls them up and telling them that a box is used for illegal activities, like in this particular case.

I'm not using my box for illegal activities, but i sure felt relieved to know that all i do isn't logged and read by some evil all-seeing eye, looking for stuff that might be compromising for the company. Or that my mail is scanned for keywords and what-not.

Then again, I live in Sweden. :)

Whats on my network?

[jesser]

I'm pretty sure there are no Whats on my network.

802.1x

[humanasset]

Check out 802.1x. Most modern switching gear supports it and some of the newer stuff even allows you to do dynamic policy enforcement (ACL's, rate limiting, etc.) based on group membership. It's much more scaleable and flexible than MAC-based authentication.

This can be done for both wired and wireless networks, as described in this Microsoft article. http://www.microsoft.com/technet/security/topics/c ryptographyetc/peap_0.mspx

Client support exists for Windows, Mac OS, and *nix. It can take a while to get setup, but it's worth it.

Whats

Whats a whats??

oh good lord

[netwiz]

cripes, people. This is a two-part problem. One, the process issue, deals with how you manage physical port assignment. Two, the technical issue, deals with how you enforce the process. This is most easily done with some form of port security. Map the MAC to the physical port and lock it down. Then disable all the unused ports, and you're set.

gods, you'd think this was a difficult issue...

Re:oh good lord

What do you maintain a 3 computer network? Get real.

Re:oh good lord

[netwiz]

actually, I'm maintaining over 4000 distinct nodes. If you stay on top of your systems documentation-wise, it's not a big deal, and you've got all the necessary environmental metadata created in one whack.

Seriously, this problem is almost entirely a process issue, not technical.

Re:oh good lord

[Ph33r+th3+g(O)at]

Depends on the environment. If you work in a corporation where you can have someone who plugs something with an unrecognized MAC into a jack escorted out by security, that's great. In less, um, intense environments (think college campuses), locking to MAC addresses just plain isn't going to work.

I do agree that where it can be done, it's prudent and valuable even if for no other reason than knowing what devices the company owns.

Re:Welcome to Slashdot. Home of the insensitive cl

[Buran]

Great, now I have this mental image of munchkins singing "We represent the Networking Guild" ... ;)

Time to fire up...

[mav[LAG]]

..the BOFH excuse server. The random answer it gave me was singularly appropriate although unhelpfully honest:

your excuse: because of network lag due to too many people playing deathmatch

Ummm...

[eno2001]

...wrong audience here. Most /. readers are operating home networks. Very few of them actually have real network related jobs. They might work help desk, or be in IT management. But real network jocks have very little to do with Slashdot.

Re:Ummm...

[methangel]

Speak for yourself dude. I'm a network "jock" with a real network related job. Of course I do coding too. So, meh.

Re:Ummm...

[eno2001]

Then you're in the minority. Most of the /. crowd is not you.

You're using a public address:

I don't know if this was a mis-type, but you wrote:
"198.162.1.104"
That is a real-world public address. Your internal network should be using 192.168.1.104, not *198.162*

Just a thought, anyway

Re:You're using a public address:

yeah sorry I got that wrong should be 192.168.x.x (as in internal address)

thanks

Bra Burners Not Bible Thumpers

[HornWumpus]

You have your special interest wrong.

The luney right hates porn.

The luney left hates everything straight male.

Neather side has that much influence outside of primary season.

More like "sexual harassment"

[No+Such+Agency]

As women (and many men) started to get sick of a workplace culture where guys would think it was funny to post the Hustler centerfold above the new girl's desk, we began to recognize that sexually-related conduct causes problems in the workplace. That's why telling dirty jokes, pornographic pranks etc are usually forbidden. As for surfing pr0n, that's just stupid, do that on your own time. I goof off at work as much as anyone but I know that adult material is for my "me time" at home.

This has caused a rash outbreak of people "sniping" or hiding out in bushes that sometimes decorate offices and awaiting an unsuspecting employee to briefly brush past a site holding pornographic material. Google.com is a good example. In this instant they leap from the previously hidden sniping bush and proclaim that the barest hint of an unclothed nipple has hurt their "feelings"

Now that's just paranoia, and smacks of thinly-veiled anti-feminist hysteria too.

That "wardrobe malfunction"... that was wildly overreacted-to. How is that different? Well, you have to go to work, but nobody's forcing you to watch the Superbowl. That incident might have warranted a "you guys are morons" letter from the FCC, but not a big fine.

Simple

[Luke-Jr]

Don't trust random devices on the network-- if you have a service you want secure, have some kind of authentication on it, don't just trust random connections.

Have you been paying attention?

[HornWumpus]

It's not paranoia when people are sued for someone overhearing an off color joke.

Clinton did a lot to push it back to sanity. If he can get a blowjob from a subordinate and keep his job so can anybody. (What? Anybody else would be fired? Republican!)

Security starts at the closet

[nurb432]

The very first thing you do is make sure you have no live ports just 'laying around'. If you dont have a person at a desk, its jack gets unpatched. ( or turned off at the switch )

Secondly, you tie MAC addresses to specific ports on your switches, to help prevent people moving around without your knowledge. It also slows down people from causally swapping their company owned PC with a personal laptop. However, unlike the good old days, it wont slow down those damned wifi boxes since they can clone mac addresses easily.. But its at least a start.

What case was that?

[C10H14N2]

Seriously, please direct us to one single, solitary example of a company that was literally shut down because an employee was looking at a stiff nipple.

Honestly, so much of this liability paranoia is such crap it boggles the mind that people actually believe it. Sure, if someone is doing something illegal, the company may be questioned and asked for assistance by the authorities, but that's a far cry from "Sometimes it even results in the closing of an entire company and results in a rise in unemployment which these people called "taxpayers" really have something against."

Seriously, people using this sort of bullshit language are far more to blame for these absurd policies (be they factual or otherwise) than any real liability exposure.

Re:What case was that?

[ebooher]

Life, Sir, is a joke. Please laugh every once in a while. It will make the day go by faster.

Re:What case was that?

[C10H14N2]

However, it's a joke in need of better writers.

NetReg

[NetFiber]

I'm a student at UCONN. The admins in our shop use this piece of software called NetReg (orig. from Southwestern University [netreg.org]) to register all network enabled devices. Unregistered devices are thrown in a restricted 10.x.x.x subnet and forced to register before they are allowed to receive a dynamically assigned public IP address. To prevent network abuse via manually assigned static IP address, servers routinely scan the network for IP's not dynamically assigned and MAC address tied to public IP's that are not registered. In the event an unregistered device is discovered with a public IP, the admins shutdown the switchport and the student/faculty is forced to call our call center. This seems to prevent a lot of headaches.

a possible solution?

[john_uy]

is there a software that does the following case:

let say that you have multiple subnets, 192.168.0.x/24, 192.168.1.x/24, until 192.168.255.x/24 where all the router ip is at the start such as 192.168.0.1 (being the default gateway of each.)

is there something that eats up all the ip address such as a computer being a member of all the subnets? i want to prevent people from doing a static ip address (as it will result in ip address conflict). so that thing will listen for dhcp requests and will release the ip and assign it to the requesting terminal instead. this will force everyone to use dhcp and we can keep track of all users and their mac address since they need to register or they will not be able to connect to the network.

so in the scenario, let say a computer will assign itself the ip address 192.168.0.2, 192.168.0.3, ... , 192.168.255.254. when it receives a dhcp request from a newly plugged computer (that is registered,) it will release 192.168.0.2 and it will assign the entry to the computer.

so fellow slashdotters, do you have other suggestions for preventing people from logging to a network (with switches) without being able to assign a static ip? (of course mac address filtering will not work as they can still put any ip address and access the network.) the 802.1x may also help but it is mainly for the security of the physical port and not the logical network.