Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide?

[Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can't speak to Buz' suggestion and other layer 3 issues.

It's not clear to me that a connected host can function effectively
without an ARP entry for it in the router, unless it's a really clever
malcontent who's compromised another host on the same subnet and
can work through that compromised host. Polling the ARP tables satisfies
the "80" component of 80-20, at least - probably more like 99.n% of
devices of any sort on your networks can be detected this way.

Your polling logic will probably need a little bit of intelligence to
detect, for example, someone running a tarpit, lest you be tricked
into scanning your entire /8 anyway.

I set up an ARP history recording package at a previous place of employ
that got excellent data by polling every three hours. At my current
place of employ, they poll the routers every 10 minutes for the same
purpose. Cisco gear, to the best of my recollection, caches ARP table
entries for four hours in its out-of-the-box configuration, and it's
rare in my experience to need to change that facet of its operation.

I have had the experience with other vendors' gear that it caches ARP
entries for non-local IP's - i.e.

   downstream i/f,downstream IP,downstream MAC
    :{remainder of inside IP's and MAC's}
    :
    :
   upstream i/f,www.google.com,inside MAC from border router
   upstream i/f,www.yahoo.com,inside MAC from border router
   upstream i/f,www.facebook.com,inside MAC from border router
   upstream i/f,www.imdb.com,inside MAC from border router
   upstream i/f,www.cisco.com,inside MAC from border router
   upstream i/f,www.comics.com,inside MAC from border router
   upstream i/f,www.playboy.com,inside MAC from border router
     {etc.}

        -g

- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Mon, 30 Apr 2007, Clifford Collins wrote:

> Doesn't this assume that our routers are configured correctly and that
> there are no bugs in the vendor's routing code that would allow
> exploitation? I don't want to appear overly paranoid but, as the
> "security guy" I'm expected to deal with an imperfect world.
>
> I would rather find a way to actively route all traffic from the
> unassigned subnets to something I can use to detect the presence of
> rogue devices. Then, with something like Nmap's address spoofing
> feature, verify that it's all working as designed. I generate a lot less
> traffic and avoid having to periodically walk 16 million "empty"
> addresses. Or am I kidding myself?
>
> And in response to a suggestion by Justin Azoff, are all of you out
> there satisfied with the veracity of ARP table dumps to look for rogues?
> How frequently is enough to catch a rogue without getting your network
> engineer torqued off about your constant queries?
>
> Clifford A. Collins
> Network Security Administrator
> Franklin University
> 201 South Grant Avenue
> Columbus, Ohio 43215
> "Security is a process, not a product"
>
> > > > Buz Dale <buz.dale () USG EDU> 4/30/2007 10:04 AM >>>
> Maybe instead of using the whole 10.0.0.0 you only route the smaller
> class "c"s that are assigned.  Then you could drop anything to or from
> the address ranges that aren't assigned.
> Luck,
> Buz
>
>
> On 4/30/07, Glenn Forbes Fleming Larratt <gl89 () cornell edu> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Might you optimize your process by polling your router infrastructure
> > for live ARP entries, and only scanning those?
> >
> > - --
> > Glenn Forbes Fleming Larratt
> > Cornell University IT Security Office
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFGNgK4Lyw7nZwiKgQRAgVCAKC4ffk65NbUWXPWsQtc0qa2v2gYKgCgwQp4
OlucuCPvhwXcPpvrBDo32AM=
=waLN
-----END PGP SIGNATURE-----