Application or Software to detect or Block unmanaged swicthes
Hello All, Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network. The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured. This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs. Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs. Anticipating your speedy response. Thank You!
segs wrote on 07/06/2018 09:57:
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
this is really an enterprise question, but 802.1x should do the trick, or static MAC ACLs on your network edge ports. Nick
On Thu, Jun 7, 2018 at 3:57 AM, segs <michaelolusegunrufai@gmail.com> wrote: [snip]
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The NETWORK management team of your own company? The answer is adequate change controls, policy, procedures, technical auditing (Such as logging of all CLI commands), and mandatory training with clearly-communicated in advance severe consequences for violators of the compulsory security policy that all switches must be of X type and configured according to Y process before being connected to the network, signed off by management. There are technical controls that can be implemented to help prevent/ mitigate end users from attaching an unauthorized switch to a normal access port, But as you mention... clearly an employee on the NETWORKING team can likely just configure a port as Trunk and circumvent any technical protections. Two methods that could effectively prevent End Users (not Network/IT team) from connecting unmanaged switches would be: * Port-security feature common on many managed switches that allow you to limit the number of MAC Addresses that can use a port to 1 or given number of MAC addresses. (Use a short MAC address aging time such as 30 seconds to allow people to unplug and plug a different device in, but a low MAC address account and Err-Disable violation to kill the port if a Switch is connected) * 802.1x Wired Port Security - More detailed system that requires a PKI + RADIUS server infrastructure and authentication by every client to every port. -- -JH
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
To put a finer point on things others have already said: If you have employees with enable on your networking gear not following
On 7 June 2018 at 04:57, segs <michaelolusegunrufai@gmail.com> wrote: policies and procedures, that is a management problem, not a technical one. There's nothing you can do to prevent someone who admin's a network device from changing its configuration. The various ways the company can handle this is by training, clearly defined *and communicated* policies, and eventually by discipline if necessary. If the company is unwilling or unable to enforce reasonable policy on its employees then my recommendation would be to find a new company.
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
In my previous life, we used a nac appliance from Bradford Networks whereby the mac address of every device needed to be registered or the switch port it was plugged into would be disabled. This kept spurious devices from appearing on the network and worked quite well. Cheers, Keith Sent from my android device. -----Original Message----- From: Jason Hellenthal <jhellenthal@dataix.net> To: segs <michaelolusegunrufai@gmail.com> Cc: nanog@nanog.org Sent: Thu, 07 Jun 2018 7:54 Subject: Re: Application or Software to detect or Block unmanaged swicthes As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
I guess you can do that and more with a linux based switch like cumulus and pica8. They allow you to do all sorts of things like that because they are open. On Thursday, June 7, 2018, <keith@contoocook.net> wrote:
In my previous life, we used a nac appliance from Bradford Networks whereby the mac address of every device needed to be registered or the switch port it was plugged into would be disabled. This kept spurious devices from appearing on the network and worked quite well. Cheers, Keith
Sent from my android device.
-----Original Message----- From: Jason Hellenthal <jhellenthal@dataix.net> To: segs <michaelolusegunrufai@gmail.com> Cc: nanog@nanog.org Sent: Thu, 07 Jun 2018 7:54 Subject: Re: Application or Software to detect or Block unmanaged swicthes
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties.
All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck.
--
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings. -mel
On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote:
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties.
All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck.
--
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down? David On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" <nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote: When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings. -mel > On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote: > > As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. > > > All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. > > > -- > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > >> On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote: >> >> Hello All, >> >> Please I have a very interesting scenario that I am on the lookout for a >> solution for, We have instances where the network team of my company bypass >> controls and processes when adding new switches to the network. >> >> The right parameters that are required to be configured on the switches >> inorder for the NAC solution deployed to have full visibility into end >> points that connects to such switches are not usually configured. >> >> This poses a problem for the security team as they dont have visibility >> into such devices that connect to such switches on the NAC solution, the >> network guys usually connect the new switches to the trunk port and they >> have access to all VLANs. >> >> Is there a solution that can detect new or unmanaged switches on the >> network, and block such devices or if there is a solution that block users >> that connect to unmanaged switches on the network even if those users have >> domain PCs. >> >> Anticipating your speedy response. >> >> Thank You!
This is one of the reasons why large organizations, such as the ones you describe, have both portable spectrum analyzers (covering the 2400 range and 5150-5850 MHz 802.11(whatever) bands), and also ability to hunt for MAC addresses of wifi devices that don't match known centrally managed APs. Even if somebody sets up to not broadcast the SSID, the MAC will still be there and can be recognized as an unknown device, then physically triangulated upon for its OSI layer 1 location, with RSSI/RSL level and a portable spectrum analyzer with directional yagi antenna. On Fri, Jun 8, 2018 at 10:32 AM, David Hubbard < dhubbard@dino.hostasaurus.com> wrote:
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down?
David
On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" < nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote:
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
-mel
> On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote: > > As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. > > > All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. > > > -- > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > >> On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote: >> >> Hello All, >> >> Please I have a very interesting scenario that I am on the lookout for a >> solution for, We have instances where the network team of my company bypass >> controls and processes when adding new switches to the network. >> >> The right parameters that are required to be configured on the switches >> inorder for the NAC solution deployed to have full visibility into end >> points that connects to such switches are not usually configured. >> >> This poses a problem for the security team as they dont have visibility >> into such devices that connect to such switches on the NAC solution, the >> network guys usually connect the new switches to the trunk port and they >> have access to all VLANs. >> >> Is there a solution that can detect new or unmanaged switches on the >> network, and block such devices or if there is a solution that block users >> that connect to unmanaged switches on the network even if those users have >> domain PCs. >> >> Anticipating your speedy response. >> >> Thank You!
Enterprise WiFi systems, such as those by HPE (Aruba) and Cisco, have built-in rogue detection including integrated spectrum analysis. Every AP becomes a spectrum analyzer, so the WiFi controller can detect rogue APs, identify whether or not they’re physically connected to your network, and then even tell you the switch and port they’re plugged into. You can disable that port to kill the rogue’s network access, then follow that cable to the interloper. We use a 2’ pipe wrench for enforcement :) -mel
On Jun 8, 2018, at 11:14 AM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
This is one of the reasons why large organizations, such as the ones you describe, have both portable spectrum analyzers (covering the 2400 range and 5150-5850 MHz 802.11(whatever) bands), and also ability to hunt for MAC addresses of wifi devices that don't match known centrally managed APs. Even if somebody sets up to not broadcast the SSID, the MAC will still be there and can be recognized as an unknown device, then physically triangulated upon for its OSI layer 1 location, with RSSI/RSL level and a portable spectrum analyzer with directional yagi antenna.
On Fri, Jun 8, 2018 at 10:32 AM, David Hubbard < dhubbard@dino.hostasaurus.com> wrote:
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down?
David
On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" < nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote:
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
-mel
On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote:
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties.
All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck.
--
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
There are a few options. 1. Most likely it will leak information (STUN, NAT-PMP, etc.). 2. You could look obvious signs of NATted traffic. (e.g. re-use of the same source port number to different destinations from the box, etc.) 3. You can look at the TTL or Hop-Count on packets coming out of the box. Most NAT routers (I believe DD-WRT included, IIRC) do still decrement the TTL/Hop-Count (v4/v6) when passing the packet. 4. NMAP the device… DD-WRT will usually look strikingly different from most desktop hosts. I’m sure there are other ways, but those are the first 4 that spring to mind. Each could be defeated by a particularly careful/clever implementer, but in an enterprise, usually it makes little sense to go to that much trouble to violate policy. Universities are an exception as that’s a whole different set of equations on risk/benefit. Owen
On Jun 8, 2018, at 10:32 , David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down?
David
On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" <nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote:
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
-mel
On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote:
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties.
All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck.
--
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote:
Hello All,
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs.
Anticipating your speedy response.
Thank You!
David, If you are using a product like ISE/Forescout you could set up multiple layers of device identification prior to network authorization. For example, a user would need to spoof the results of a legitimate device to match the results of: -NMAP scan -Domain machine/user Auth -OID/MAC etc It's simply a matter of dissecting the signatures of legitimate devices to the finest level of granularity and denying everything else. Best, Christopher -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of David Hubbard Sent: Friday, June 8, 2018 12:32 PM To: nanog@nanog.org Subject: Re: Application or Software to detect or Block unmanaged swicthes This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down? David On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" <nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote: When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings. -mel > On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote: > > As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. > > > All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. > > > -- > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > >> On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote: >> >> Hello All, >> >> Please I have a very interesting scenario that I am on the lookout for a >> solution for, We have instances where the network team of my company bypass >> controls and processes when adding new switches to the network. >> >> The right parameters that are required to be configured on the switches >> inorder for the NAC solution deployed to have full visibility into end >> points that connects to such switches are not usually configured. >> >> This poses a problem for the security team as they dont have visibility >> into such devices that connect to such switches on the NAC solution, the >> network guys usually connect the new switches to the trunk port and they >> have access to all VLANs. >> >> Is there a solution that can detect new or unmanaged switches on the >> network, and block such devices or if there is a solution that block users >> that connect to unmanaged switches on the network even if those users have >> domain PCs. >> >> Anticipating your speedy response. >> >> Thank You!
How about some scripts around fail2ban, if the same account logs in multiple times, its banning time. Kasper On Friday, June 8, 2018, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down?
David
On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" < nanog-bounces@nanog.org on behalf of mel@beckman.org> wrote:
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
-mel
> On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellenthal@dataix.net> wrote: > > As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties. > > > All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck. > > > -- > > The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > >> On Jun 7, 2018, at 03:57, segs <michaelolusegunrufai@gmail.com> wrote: >> >> Hello All, >> >> Please I have a very interesting scenario that I am on the lookout for a >> solution for, We have instances where the network team of my company bypass >> controls and processes when adding new switches to the network. >> >> The right parameters that are required to be configured on the switches >> inorder for the NAC solution deployed to have full visibility into end >> points that connects to such switches are not usually configured. >> >> This poses a problem for the security team as they dont have visibility >> into such devices that connect to such switches on the NAC solution, the >> network guys usually connect the new switches to the trunk port and they >> have access to all VLANs. >> >> Is there a solution that can detect new or unmanaged switches on the >> network, and block such devices or if there is a solution that block users >> that connect to unmanaged switches on the network even if those users have >> domain PCs. >> >> Anticipating your speedy response. >> >> Thank You!
I’ve got an easy way to do this, I confiscate ‘em ;) As others have said, this is a management problem. Untrustworthy parties shouldn’t have physical access to your trunk ports. That said Layer 2 MAC ACLs should block everything and allow only your switches. Also do you have lit trunk ports just floating in space? You shouldn’t...
I like the idea of using a quarantine network by default with a captive portal assistant to permit certain levels of access if needed.. fairly easy to setup on LAN and WiFi networks with no problem. Just depends on what you are trying to secure- easy to set up audits with MAC tables and SNMP data either way. Brad -------- Original message --------From: Ben Cannon <ben@6by7.net> Date: 6/8/18 13:28 (GMT-07:00) To: Kasper Adel <karim.adel@gmail.com> Cc: nanog@nanog.org Subject: Re: Application or Software to detect or Block unmanaged swicthes I’ve got an easy way to do this, I confiscate ‘em ;) As others have said, this is a management problem. Untrustworthy parties shouldn’t have physical access to your trunk ports. That said Layer 2 MAC ACLs should block everything and allow only your switches. Also do you have lit trunk ports just floating in space? You shouldn’t...
Cisco ISE will accomplish this. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of segs Sent: Thursday, June 7, 2018 3:57 AM To: nanog@nanog.org Subject: Application or Software to detect or Block unmanaged swicthes Hello All, Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network. The right parameters that are required to be configured on the switches inorder for the NAC solution deployed to have full visibility into end points that connects to such switches are not usually configured. This poses a problem for the security team as they dont have visibility into such devices that connect to such switches on the NAC solution, the network guys usually connect the new switches to the trunk port and they have access to all VLANs. Is there a solution that can detect new or unmanaged switches on the network, and block such devices or if there is a solution that block users that connect to unmanaged switches on the network even if those users have domain PCs. Anticipating your speedy response. Thank You!
as already said - this can be covered with adequate processes and management (even so far as, not doing your job right? time for HR...). however, there are many ways to ensure that random ports arent doing anything other than what they should be doing - most of these are L2 security features - port-security, BPDUGAURD, default vlan pruning, along with other protections such as DHCP snooping etc. however, if its the network team doing this - then they could just turn those things off anyway - so you need to also ensure all managed switch configs have their configs audited and checked - grabbed by SNMP and checked/audited against known template etc etc. if a switch cannot be audited then disconnect its uplink..... but then your end users/customers no longer have connections - which is why its really down to management processes. WHY are they doing this? there could be other reasons why due process isnt being followed other than eg incompetence, malice, laziness etc alan
participants (15)
-
Alan Buxey -
Ben Cannon -
Brad -
Christopher J. Wolff -
David Hubbard -
Eric Kuhnke -
Jason Hellenthal -
Jimmy Hess -
Kasper Adel -
keith@contoocook.net -
Matthew Pounsett -
Mel Beckman -
Nick Hilliard -
Owen DeLong -
segs