Slashdot Mirror
What's On Your Network?
An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."
Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc. Oh and stupid Linksys router querying my ISP's domain name servers to find out where 198.162.1.104 is and dumb shite like that, strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.
Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whilst tcpdump only grabs the headers no matter how big I make the snarfen -s thing or if I do -vv still only grabs the headers. It's like they both see different things.
Thanks for any help
but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?
the best solution I have seen is where you have to register your equipments MAC address, then you get a "static" (i.e. always the same) ip address served to you via dhcp. No registered MAC address == no ip address. Presumably they had something looking for unregistered MAC addresses too. Pretty good, but doesn't stop you going in with a static address in the right range tho...
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
This article raises the issue of internal network security, which is something that's been increasing in profile as a security risk over the past few years as ethernet/wifi enabled devices get smaller, cheaper and easier to hide. However, this article's specific Cisco approach to dealing with things by tracking them back through routers and cisco-specific tools seems to be of less use than more general scanning and identification measures.
It's safe to say a good proportion of administrators already on networks with devices migrating on and off at will already have a consideration for these problems, and the specific approach detailed in the article may not be of best use to those less experienced admins starting to tackle this issue on their networks.
Business Voyeur
if you don't run DHCP, a fun project is to throw a DHCP server out there and see who gets configured.
It's amazing all the little devices that show up. Switches, old print servers, workstations tucked away in a corner somewhere that time forgot....now that many of these networks are starting to push 10 years, it's like archeology.
Every now and then you find something that you just can't physically find. Lotsa fun.
Are there really companies out there that still don't have a policy about not hooking up private equipment to the LAN without permission? Are there even any that let you run your own server on their LAN without aking? I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment and has a right to say how it gets used, and what traffic is premitted. Anybody adding private equipment or running an unauthorized server has to know they're violating company policy, and can expect to be fired when it's discovered. The best way to keep it from happening a second time is to make sure everybody knows just why the fsckwit got canned.
Good, inexpensive web hosting
I distribute IP's thru DHCP, and I maintain an ACL via IPTABLES on my Linux router. DHCP distributes IP's based on MAC accress, and I do allow unknown MAC's to get an IP.
The trick is, that any IP that I did not setup in DHCP, is blocked via the ACL to all Internet Access.
Invariably, I get some VP/EXEC/VIP, call me and ask why his visiting sales rep cannot access his email. I walk into the office and the fellow has jacked into my network.
My reply is Sorry.. You can use our WLAN for internet access. No jacking into the network.
The WLAN is connected outside the firewall, so whatever they do there is of no concern to me.
Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...
Better yet, make the unregistered machine subnet able to access important security-related sites, like Windows Update and the corporate intranet site with antivirus and antispyware software downloads.
(This is actually done relatively frequently, so I'm definitely not saying anything original here.)
I think I've heard it called 'treasure hunting' before. Especially at places with huge IT departments in the building that just can't seem to find somethings that are taking a few IPs. Usually it ends up being a laptop in someone's bag hitting the internet, or a WAP in an abandoned office is serving warez to someone in the building next door.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Unplug unused network points.
Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result.
If you want to take this further then use managed switches and assign each port in use to a specific MAC address. That way if a 'visitor' pulls the plug on one of your computers and plugs their machine there will still be a nil result.
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
Plugging other machines that are non-Windows is not likely to create near as many problems. The exception to that would be wifi that is not properly secured (default settings).
It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.
And company policy will not stop that anyway.
You are being MICROattacked, from various angles, in a SOFT manner.
Apparently, kids drive around with laptops looking for open network closets. These fuckers plugged in a cat5e into my switch and started leeching bandwidth for all their friends. I've recommended that my neighbors start locking their doors and change keys often just in case. Also, if you notice any unexplained cat5 going out doors into the back yard, you should investigate.
If static IP's were used wouldn't it make 99% of the problem go away
Short answer: no.
Just having static IP addresses isn't enough. Actually, even the pseudo-static DHCP (via MAC address) is "good enough" but also vulnerable to exploit by manually setting the MAC address of the alien network interface to one that is allowed to get an IP (there's more complexity to doing that, but suffice it to say it can be done).
To answer your question: if your network relies solely on the IP address on some guys workstation to identify it as "his," then you've opened yourself up to more problems than him hooking up his xbox or internet enabled coffee maker.
What do you do when he brings his virus-laden laptop into the office BEHIND your firewalls and plugs it in?
These problems won't be solved either until you have hardware authenticated connectivity (no reassignable MAC possible in the hardware) or everything is locked down via a different auth mechanism... like utilizing a VPN.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
For many years, I have been running some simple scripts on a machine on the network that regularly reads out switch MAC tables using snmp. I also read router ARP tables this way.
The result can be read from a webserver. IP address, MAC address, swichport and hostname are all conveniently grouped on a line.
Knowing which switchport it is on, looking in the patch cabinet, I know on which wallsocket a suspicious device is, and a chart on the wall shows me in which room it is.
Of course the routers have access lists so invalid network addresses aren't routed, and the DHCP server checks if a hostname conforms to the company convention before assigning an address,
Plugging in your home laptop yields you an alarm, not an address.
how wonderfully clandestine public PR industry operatations are nowdays:
For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tec
Hmmmmmmmm... and the
Yam, yam, uga booga, yam, yam, yade, yade, uga booga, yam, yam, yade, yade
You see, it is like a network security guild. If you don't know everything about network security then you shouldn't be allowed to learn anything more about network security.
Clearly this is a very effective way to improve the security on the networks around the world... ah, pardon the pun, I mean the Job Security for our dear paid up members of the Network Security Guild.
Akvo.org - the open source for water and sanitation
'Whats On Your Network?' is a good question that should have been asked of the resnet techs at my university. Getting on the school network is automated for all computers with a browser, but other hardware-based network equipment must have its MAC registered manually. Needless to say, resnet doesnt actually enjoy it. One time, some moron plugged the ethernet cable from the wall into a LAN jack rather than the WAN. Kids' computers were sending DHCP requests out, receiving two responses, and dragging the entire network down. The complaint calls rained down upon tech support, and network techs had to go through dorm after dorm, checking every single room. And you thought DHCP made everything easier.
You apparently do not live in the U.S. You see, here we have these things called laws that are written and voted upon by hairless monkeys that are given offices by people that can't be bothered to read and vote on these "laws" themselves.
Some of these "laws" revolve around personal opinion and human emotions known as "feelings." They state that if you do something that hurts someone elses "feelings" you will go to jail and have to give them a lot of money.
This has caused a rash outbreak of people "sniping" or hiding out in bushes that sometimes decorate offices and awaiting an unsuspecting employee to briefly brush past a site holding pornographic material. Google.com is a good example. In this instant they leap from the previously hidden sniping bush and proclaim that the barest hint of an unclothed nipple has hurt their "feelings"
This results in a winning lawsuit in which the unknowing employee receives a new boyfriend at the same time that he is given to the sniper as a money slave for the rest of his life. Sometimes it even results in the closing of an entire company and results in a rise in unemployment which these people called "taxpayers" really have something against.
A couple of years ago something that looked almost like a nipple, but clearly wasn't, caused a major change in the entire U.S. broadcasting industry because of all the people whose "feelings" the wardrobe malfunction had caused to be hurt.
This has caused companies to be very careful about keeping anything that could possible hurt "feelings" out of their offices and off of their computers. Where I work, we usually just leave the computers turned off ....
"Genius may shine aloof and alone, like a star, but goodness is social, and it takes two men and God to make a Brother."
I'm pretty sure there are no Whats on my network.
The shareholder is always right.
FUD. A Unix machine running NFS is an automatic security problem.
FUD. NFS has its uses. Just don't let untrusted (i.e. generally used desktops, etc) have direct access to it.
The better solution is to use NFS as a fast setup for sharing disk space between a number of servers (say, for load balanced web servers running CPU-bound scripts) and read-only NFS for home directories with read-write AFS subdirectories (via symlinks?) used for anything important (things have to be done this way because AFS cannot be accessed during the login process due to credential issues).
NFS is not an *automatic* security problem. It is just a *likely* security problem.
LedgerSMB: Open source Accounting/ERP
We do this on our home (5 guys at uni) network - whenever someone comes along and plugs something in they can access http through our proxy bu that's it. It's not hard to get around though, but for our use it does the job
..the BOFH excuse server. The random answer it gave me was singularly appropriate although unhelpfully honest:
your excuse: because of network lag due to too many people playing deathmatch
--- Hot Shot City is particularly good.
...wrong audience here. Most /. readers are operating home networks. Very few of them actually have real network related jobs. They might work help desk, or be in IT management. But real network jocks have very little to do with Slashdot.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
The very first thing you do is make sure you have no live ports just 'laying around'. If you dont have a person at a desk, its jack gets unpatched. ( or turned off at the switch )
Secondly, you tie MAC addresses to specific ports on your switches, to help prevent people moving around without your knowledge. It also slows down people from causally swapping their company owned PC with a personal laptop. However, unlike the good old days, it wont slow down those damned wifi boxes since they can clone mac addresses easily.. But its at least a start.
---- Booth was a patriot ----