IDS mailing list archives
Re: Scan for "outsider" Pcs on network
From: "Eagle Fire" <tlecuauhtli () googlemail com>
Date: Fri, 17 Mar 2006 15:51:07 +0000
Yes, but the hub must be deployded by someone who has a username and password to connect to your network. It is like you won´t use keylocks in the door just because someone can lend the key to some one not authorized. So for me, wireless and wired is the same. -tlecu On 15/03/06, auto62996 () hushmail com <auto62996 () hushmail com> wrote:
802.1X works quite well in a wireless environment where there is continual authentication of the client but it can be subverted on a wired LAN simply by using a $10 hub. Attaching a legitimate device to the hub will keep the switch port open and allow anything else you connect to the hub to access the LAN. -----Original Message----- From: Eagle Fire [mailto:tlecuauhtli () googlemail com] Sent: 13 March 2006 10:06 To: focus-ids () securityfocus com Subject: Re: Scan for "outsider" Pcs on network Could be 802.1X an alternative? Probably hard to deploy, switches and wireless AP with the feature and some OS challenges but it may be a solution. -tlecu On 09/03/06, Ron Gula <rgula () tenablesecurity com> wrote:At 05:15 AM 3/6/2006, Mircea MITU wrote:On Thu, 2006-03-02 at 23:47 +0000, dhamm () jackofallgames comwrote:Is there a way to setup a scan and be notified of anintruding pcthat is physically plugged into the network?Sure, use arpwatch.Actually, this will find "new" hosts all the time with little discrimination between a new valid laptop on the LAN and avisitingconsultant in the conference room. A lot of SIMs have the ability to process log files (such asthose ofarpwatch or the dhcp logs of a Windows server) and identity theMACaddress. If you can recognize a "new" MAC address and alsoassociateit with something interesting like "the conference room" or "the server farm" you can specify different levels of alerting orlogging.An example of this is here in one of Tenable's TASL eventcorrelationrules: http://cgi.tenablesecurity.com/tasl/new_mac.tasl The particular script is simple in that it just alerts on a new MAC addr. Different scripts could consume output of thisscriptand have 2nd order alerts depending on the location of the IPaddressissued, the type of MAC, .etc. Ron Gula, CTO Tenable Network SecurityConcerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
Current thread:
- Scan for "outsider" Pcs on network dhamm (Mar 03)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 14)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Alice Bryson (Mar 14)
- Re: Scan for "outsider" Pcs on network Kurt Buff (Mar 20)
- Re: Scan for "outsider" Pcs on network Jean-Philippe Luiggi (Mar 21)
- <Possible follow-ups>
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 17)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 20)
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 21)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 27)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 30)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)