Re: how to bypass rouge machine detection techniques

[Gaurav Kumar <gkverma () gmail com>]

thanks a lot everybody.

now i am just wondering if the detection technique can be integrated
at the switch level. for example, one software can connect to switch
via ssh, and collect the ipaddress information of the machine trying
to plug in to the network, as soon as we detect this machine, we can
connect to it to test whether its a part of trusted domain/network or
not.

i think even if a box is in stealth mode, we can still detect it if we
use our detection mechanism at switch level itself.

plz comment.

regards,
gaurav

On 7/11/05, Paul Melson <pmelson () gmail com> wrote:
> MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty
> ways (see: ARP poisoning/routing).  The ubiquitous nature of ARP/RARP
> broadcasts and the seemingly unique nature of MAC addresses makes them an
> obvious means of attempting this type of detection, but these attempts are
> trivially defeated - it can be done with pretty much any laptop and a Linux
> boot CD.
>
> I'm not saying it's not worth doing - presumptuous contractors, bad
> employees, the generally clueless and their laptops all pose a risk to your
> network.  These people will likely be detected via this method and can be
> dealt with, hopefully before they spread worms and other crap.
>
> One correct solution to this problem is to authenticate users and devices
> before they connect to the network.  Whereas this method attempts to
> identify devices or users after they have connected.
>
> PaulM
>
>
> -----Original Message-----
> Subject: [Full-disclosure] how to bypass rouge machine detection techniques
>
> Friends,
>
> There are several techniques available for detecting rouge (not being a
> member of trusted domain) machines, such as active scanning, active
> directory querying etc, but I guess most powerful being the one used by
> epolicy orchestrator. Its agents (deployed on each subnet) checks for L2
> broadcasts like Arp broadcast etc. After detecting a broadcast, it used the
> mac address and ip address to proceed further to detect whether the machine
> is rouge or not.
>
> http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd
> whitepaper_july2004.pdf
>
> I was wondering if this approach is foolproof and can be safely deployed or
> if there is a way to bypass it?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/