Re: IP address conflicts / locating

[David LaPorte <david_laporte () HARVARD EDU>]

Well, I wasn't going to plug it (being a co-developer and all), but
since Tristan brought it up... :)

PacketFence provides several passive mechanisms to track IP/MAC
addresses and potentially determine the physical location and/or OS
type.  Using ARP and DHCP broadcasts, it maintains a table of IP->MAC
mappings (similar to arpwatch) that can be used, in conjuction with MAC
registration, for DMCA resolution.  It utilizes DHCP option-82 data (if
injected by access switches) to determine switchport/vlan and can
determine OS type based on the DHCP option "fingerprint" of the request.
 We have some heuristics in there to detect static IP assignments as well.

PacketFence is open-source and available at:

http://www.packetfence.org

David

--
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
-----------------------------------------------
Email: david_laporte () harvard edu
  PGP: 0x4DC3E508
       4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508


Tristan RHODES wrote:
> I also recommend looking at Nedi (Network Discovery Suite -
> http://nedi.web.psi.ch/ ) which is very similar to Netdisco.   (They
> are both great applications)
>
> If you want something that has similar functionality to Cisco
> CleanAccess, take a look at PacketFence ( http://www.packetfence.org/ )
> which can perform registration, detection, and remediation.
>
> Tristan Rhodes
> Weber State University
>
> > > > grinnell () AMERICAN EDU 12/16/05 9:13 AM >>>
> I would take a look at NetDisco (http://netdisco.org/).  If it's not
> compatible with your infrastructure, it might at least point you in
> the right direction.  I would also agree with a later response, DHCP
> is a best practice for managing large and small networks easily.  It
> won't stop the odd IP address conflict, but it will minimize them.
> Regardless of whether you use DHCP or statically assign, you may also
>
> want to at least evaluate an IP address management system, or roll
> your own to keep track of static assignments, DHCP ranges, etc.
>
> Michael Grinnell
> Network Security Administrator
> The American University
> e-mail: grinnell () american edu
>
>
> On Dec 15, 2005, at 8:07 PM, David Gillett wrote:
>
> >   It's going to depend largely on the equipment you use.  We're
> > able to do this with most of our current gear (although it's
> terribly
> > SLOW) because the switches also do layer 3 routing; on the old
> > layer 2 only Cisco switches I used to work with, clients could
> > only be located by MAC address and not IP.  (Searching by MAC
> > address is slower than by IP address with the new gear, but more
> > reliable for unknown reasons.)
> >   Matching switch port numbers to jack locations depends on you
> > documenting how the switches are wired to the patch panels.
> >
> >   A technique I've found useful, especially when rogue devices just
> > hop to another jack, is to create a "black hole" VLAN and assign the
> > rogue's MAC address to that VLAN.  Somehow, jacks that work for
> others
> > stop working when they plug in....  Eventually, they either call for
> > support or conclude that their NIC is broken.
> >
> > David Gillett
> >
> >
> >
> > > -----Original Message-----
> > > From: Kevin Shalla [mailto:kshalla () UIC EDU]
> > > Sent: Thursday, December 15, 2005 3:55 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] IP address conflicts / locating
> > >
> > > At our school, all our IPs are public and statically
> > > assigned.  Because we're a large school, and IP management is
> > > decentralized, we often have IP address conflicts.  Our
> > > resolution procedure is to call the network group which
> > > filters that IP address.  Then we wait until the perpetrator
> > > calls the network group to say that the network isn't
> > > working.  Then the perpetrator is told to use a different
> > > address, and the original computer can have that IP address
> > > back.  This can work when people are merely making mistakes,
> > > however we're noticing rogue servers being installed, and
> > > when they get filtered, they simply move on to another address.
> > >
> > > I've asked if we can get a tool which will take as input the
> > > IP address, and give the switch port where this IP is active,
> > > identify where this switch is, and further identify to which
> > > building and room that port connects.  Do other schools have
> > > this ability, or am I asking for too much?