On 10/14/12, Jonathan Lassoff <jof@thejof.com> wrote:
I've yet to see a solid methodology for detecting NATing devices, short of requiring 802.1x authentication using expiring keys and one-time passwords. :p
Or implement network access protection, w IPsec between the hosts and the resources on the LAN; the systems behind the rogue NAT device won't be able to prove their identity, pass system health checks for antimalware, and get the x509 certificates required to communicate with hosts on the LAN... Packet sniffer, and look for packets sourced from hosts on the LAN with a TTL not matching the default TTL of OS'es in use on the network. Monitor ARP traffic. Start with the assumption that all devices are NAT devices, or malicious/unauthorized devices. Use TCP probes, to detect devices listening on common ports which can be identified as OSes (eg Windows, Printers, etc), which are known hosts on the network with a known user, or known purpose, and known to not be NAT devices. Delete known devices from the list of assumed rogue IP addresses. All the remaining IPs have to be investigated, and get their MAC address, hostname, and purpose documented. Once MAC addresses of all _known_ hosts are documented and manually verified, by process of elimination, you can detect any unknown IP addresses/MAC addresses, which might be any kind of unauthorized device. A NAT device is one example..... another example of an unauthorized device could be an unauthorized hardware keylogger/ network backdoor, with unauthorized connectivity to the LAN, and possible covert channels/backdoors/firewall bypasses.
Cheers, jof -- -JH