Slashdot Mirror
What's On Your Network?
An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."
Sure, where the employer can pay for it you'll have very good administrators, be it Windows or not. On most smaller sites, the administrator is not a full-time administrator, and is doing administration ad-hoc to his real job. This usually means that he does not have much training in this, nor much time for it either. Now, with all these (useful) Plug-and-Play devices you are bound to have some problems.
I distribute IP's thru DHCP, and I maintain an ACL via IPTABLES on my Linux router. DHCP distributes IP's based on MAC accress, and I do allow unknown MAC's to get an IP.
The trick is, that any IP that I did not setup in DHCP, is blocked via the ACL to all Internet Access.
Invariably, I get some VP/EXEC/VIP, call me and ask why his visiting sales rep cannot access his email. I walk into the office and the fellow has jacked into my network.
My reply is Sorry.. You can use our WLAN for internet access. No jacking into the network.
The WLAN is connected outside the firewall, so whatever they do there is of no concern to me.
Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...
Unplug unused network points.
Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result.
If you want to take this further then use managed switches and assign each port in use to a specific MAC address. That way if a 'visitor' pulls the plug on one of your computers and plugs their machine there will still be a nil result.
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall that had been put in...?!!??!
Strangely enough, the exact same thing happened at UNC-CH, except it was a Netware 3.12 server. And it happened at MIT, except it was an RS/6000, and at CWRU it was a SCO Unix box, and at Stanford it was a VAX cluster, blah, blah, blah...
can you say "Urban Legend?"
If static IP's were used wouldn't it make 99% of the problem go away
Short answer: no.
Just having static IP addresses isn't enough. Actually, even the pseudo-static DHCP (via MAC address) is "good enough" but also vulnerable to exploit by manually setting the MAC address of the alien network interface to one that is allowed to get an IP (there's more complexity to doing that, but suffice it to say it can be done).
To answer your question: if your network relies solely on the IP address on some guys workstation to identify it as "his," then you've opened yourself up to more problems than him hooking up his xbox or internet enabled coffee maker.
What do you do when he brings his virus-laden laptop into the office BEHIND your firewalls and plugs it in?
These problems won't be solved either until you have hardware authenticated connectivity (no reassignable MAC possible in the hardware) or everything is locked down via a different auth mechanism... like utilizing a VPN.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
802.1x
As for WiFi's security, it's flawed, and slows down attackers rather than stopping them. WEP can be broken relatively easily, and hiding your SSID doesn't save you either contrary to what some people might think.
The real way to handle WiFi security is to open a VPN with strong encryption to your router, and route everything through that VPN. If you're concerned about unauthorized people syncing to the network, MAC address filter *and* require some kind of cryptographic key exchange with the router prior to opening the communication. The same can apply for wired Ethernet; run a VPN between physically unsecured bits of cable and you bypass that problem.
Yes, security is a pain in the ass.
I'm pretty sure there are no Whats on my network.
The shareholder is always right.
FUD. A Unix machine running NFS is an automatic security problem.
FUD. NFS has its uses. Just don't let untrusted (i.e. generally used desktops, etc) have direct access to it.
The better solution is to use NFS as a fast setup for sharing disk space between a number of servers (say, for load balanced web servers running CPU-bound scripts) and read-only NFS for home directories with read-write AFS subdirectories (via symlinks?) used for anything important (things have to be done this way because AFS cannot be accessed during the login process due to credential issues).
NFS is not an *automatic* security problem. It is just a *likely* security problem.
LedgerSMB: Open source Accounting/ERP
We do this on our home (5 guys at uni) network - whenever someone comes along and plugs something in they can access http through our proxy bu that's it. It's not hard to get around though, but for our use it does the job
At one insurance company I worked for, it was no urban legend. Some remodelling was done and the access to a basement room where some test servers were set up was blocked by renovation materials and the renovation completed but the excess materials left stacked. Several years later of employees walking past the stacked supplies every day, a network check got some people curious and after nowhere else could be found with anything unaccounted for, a building map showed a room where most had forgotten there was a door...
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Sure it does, if you design the system around the VLAN capability of your switches. I worked once at small University that had done just that, where their network registration system would move your MAC address around in VLANs upon registration.
Only way around it was to spoof your MAC with a known good one that you knew was offline, because as soon as it cmae online, you would be booted off due to the conflict.
I've always taken "midwest" to roughly mean "middle of the western world;" it is roughly the center of the (north)western hemisphere.
Merriam Webster suggests that it can be applied to "Ohio & sometimes Kentucky" toward the east. That would certainly include Illinois.
Incidentally, it looks like Chicago is about 700 miles from the nearest Atlantic coastline, and not quite 150 miles east of the Mississippi. Reeeaaal East Coast, yo.