Rogue Devices

[palmer_eldritch]

I'm not after any institution's security secrets, just a 'you might want to look at...' sort of answer. Our resident 'power user' amongst the staff recently plugged in a machine of his own onto the network here and caused multiple duplicate IP warnings all over the place. This has lead to a senior bod querying the 'security' of our network vis a vis 'rogue devices'. So, how do other places deal with this particular nugget? Managed switches tied to MAC addresses? Encrypting all network traffic? Is there a 'keep the senior bod happy' box I could buy and plug into the network? Any advice very gratefully received, as usual.

[plexer]

If your switches support it you could do 802.1x authentication of your clients this would prevent someone with their own laptop getting access.

Or just have the person disciplined for it.

Ben

[Geoff]

You can detect, isolate and disconnect devices based on policies with packetfence. I've posted in a number of threads about it. A forum search should reveal all, however here's the main post I made.

http://www.edugeek.net/index.php?nam...ewtopic&t=7650

Also you should read the Registration and Remediation primer to get a full overview of what it can do and how it can do it.

http://www.packetfence.org/dokuwiki/...diation_primer

[enjay]

I've reserved all IPs which we're not using in DHCP, so devices fail to connect to the network. It doesn't help if people have manually configured IPs which happen to fall in our range, but it's better than nothing.

You could look at Radius which basically does a MAC address check on any connected client; some managed switches can do this too.

[palmer_eldritch]

Thanks for the prompt replies! 802.1x was another possibility but the Microsoft site mentions quite a glaring vulnerability in that, apparently, you can plug a hub between an acceptable machine and the network which then gets authenticated, allowing anything on which plugs into that hub.

Obviously nothing's going to be 100%, I suppose it depends on how 'risk averse' your senior bod is! Anyway, will investigate packetfence and thanks once again for the replies. Any more very gratefully received!

[mark]

Exclusive DHCP Reservations (100% of DHCP PC IP addresses entered as static resevations) is the quickest easiest way I believe, although not _really_ secure, it may do what you need. The reservations are tied to mac addresses, so just having a matching IP doesn't get you connected.

[plexer]

As well as connecting a hub in the way they have to set their rogue machine to have the same MAC and IP addresses as the authenticated one.

Ben

[DMcCoy]

Thanks for the prompt replies! 802.1x was another possibility but the Microsoft site mentions quite a glaring vulnerability in that, apparently, you can plug a hub between an acceptable machine and the network which then gets authenticated, allowing anything on which plugs into that hub.

Obviously nothing's going to be 100%, I suppose it depends on how 'risk averse' your senior bod is! Anyway, will investigate packetfence and thanks once again for the replies. Any more very gratefully received!

Not if you don't allow more than one MAC on an interface. I can configure procurves to allow only the first MAC address detected, and as a hub cannot authenticate then it will not be authorized in the first place!

At least thats the theory, full details after the summer

[DMcCoy]

As well as connecting a hub in the way they have to set their rogue machine to have the same MAC and IP addresses as the authenticated one.

Ben

To do this with the 802.1x config I'm looking at, the port will need to be physically disconnected to swap, unauthorising the previous machine and requiring a new authentication session.

[plexer]

The idea behind it is that you have a valid machine that can login.

You temporarily disconnect it and put a hub in between the victim and the network.

You then plug your laptop in with the same ip and mac as the victim and when the victim reauthenticates you will have access to the network.

So it does require physical access and how many teachers are going to be able to pull this off from a technical point of view anyway?

Ben

[Geoff]

This isn't an issue if you use packet fence.

[Geoff]

This isn't an issue if you use packet fence.

[Geoff]

This isn't an issue if you use packet fence.

[Geoff]

This isn't an issue if you use packet fence.

[Geoff]

This isn't an issue if you use packet fence.