[c-nsp] Good way of finding unauthorized network elements/

Scott Granados gsgranados at comcast.net
Fri Oct 30 15:16:33 EDT 2009 

Hi Mike, these are great ideas.  Unfortunately, my biggest problem is the 
folks who had my job before me didn't believe in things like best practices 
or researching something before they set it up so I am spending a good deal 
of time trying to undo the work done before me.  I plan on having our IT 
department do a little gathering and grab all the MAC addresses of the 
devices that users have.  (laptops etc0  Then enabling port security so 
folks will only be able to connect to their ports.


I'm going to go look for ports learning more than one MAC at a time though, 
that sounds like a good way to go.


Thanks for the pointers!

----- Original Message ----- 
From: "Mike" <mike-ciscpnsplist at tiedyenetworks.com>
To: "Scott Granados" <gsgranados at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Friday, October 30, 2009 12:07 PM
Subject: Re: [c-nsp] Good way of finding unauthorized network elements/


>
> Hi Scott,
>
>    Well, teaching users to fear you thru the use of random outages to the 
> unauthorized device and redirection to captive portals telling them you 
> know, are some favored BOFH techniques....<grin>
>
>    Some realistic strategies you could engage include:
>   Shutting down all ports that are not marked as 'in use' by you (if you 
> know what is where), and establishing an 'deny by default' policy so that 
> nobody, not even the company president, can plug anything in anywhere 
> without first contacting you and telling you what they need. This stops 
> dead cold the clod with the linksys thinking he'll put it in the unused 
> cubicle next to him. You also could proactively disable ports that are 
> 'down' for more than 2 weeks on the basis of a move or change, so that it 
> has to be requested to be enabled again.
>   Auditing the network looking for non-trunk ports that have more than 1 
> mac address. You will find users who have little networks in their cubicle 
> for conveience reasons, and others (the problem users) who have a wireless 
> AP bridging to your corporate lan this way.
>
>    If you have a lan segment that is particularly vulnerable, you could 
> also consider firewaling it off so that users need to use VPN connections.
>
>    Just some ideas.
>
> Mike
>
> Scott Granados wrote:
>> Hi all
>> I have a general question.  I have a network consisting of about 20 
>> access switches and 2 core switches.  We have 3 access points that we 
>> manage but think someone might have brought in a linksys or DLink 
>> consumer device and plugged in.  (users, can't live with em, can't shoot 
>> em)
>> Is there a tool or good method that could scan the arp table and look for 
>> Manufacturor ID bits so I could see roughly what's attached where?  Are 
>> there better tools in general or better methods of finding rogue elements 
>> that people may attach?
>> Any pointers would be appreciated.
>>
>> Thanks
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list