Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

What's On Your Network? 188

An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."
This discussion has been archived. No new comments can be posted.

What's On Your Network?

Comments Filter:
  • Great article!!!

    I know of many (perhaps most) large corperations have incorporated strong policies regarding what an employee can plug into a network. Does this help the problem with unwanted 'network use' or do the policies get ignored?

    • If company policy mandates using Windows, well, you are going to have problems anyway.

      Plugging other machines that are non-Windows is not likely to create near as many problems. The exception to that would be wifi that is not properly secured (default settings).

      It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.

      And company policy will not stop that anyway.

      • FUD. A Unix machine running NFS is an automatic security problem.
        • FUD. A Unix machine running NFS is an automatic security problem.

          FUD. NFS has its uses. Just don't let untrusted (i.e. generally used desktops, etc) have direct access to it.

          The better solution is to use NFS as a fast setup for sharing disk space between a number of servers (say, for load balanced web servers running CPU-bound scripts) and read-only NFS for home directories with read-write AFS subdirectories (via symlinks?) used for anything important (things have to be done this way because AFS cannot be accessed during the login process due to credential issues).

          NFS is not an *automatic* security problem. It is just a *likely* security problem.
          • Yes, but we're talking about random laptops plugged into your network, not designed configurations.
            • I try to keep r/w NFS shares off the portions of the network that are used by people doing normal work.

              Read only NFS is a good way to get around the limitations inherent in AFS, however, which was my main point.

              r/w NFS is somewhat dangerous, especially if it is used in an environment where anyone can use any arbitrary computer system that they bring in from home. If you get someone's UID, you can alter your /etc/passwd and get access to their files.

              But if you use it primarily as a content serving mechan
              • I try to keep r/w NFS shares off the portions of the network that are used by people doing normal work.

                Good for you, but again the point is that you need some sort of MAC or port security to really do this.

                Otherwise it's the same argument as the Windows guy who patches routinely but gets attacked by the random consultant laptop.
      • Plugging other machines that are non-Windows is not likely to create near as many problems.

        Plugging in anything without a compentent admin can create problems. The hordes of owned Linux machines banging away on ssh is proof of that. The theory is that the company hires competent people to keep the work machines secure and bans all other machines because they have no way to guarantee that the desktop jockey who wants to run his/her own machine can and will do so. It also helps with software licensing i
  • by Anonymous Coward
    Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc. Oh and stupid Linksys router querying my ISP's domain name servers to find out where 198.162.1.104 is and dumb shite like that, strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.

    Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whil
    • Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc.

      Presumably by "AFP" you mean "AppleTalk" - I wouldn't expect to see Apple File Protocol traffic unless some machine is accessing a file server. Perhaps the Macs are sending some sort of AppleTalk broadcast announcements.

      What sort of NetBIOS traffic are you seeing?

      Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower

    • strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.

      Umm, WHAT? Can you elaborate? This sounds like NAT without a filter. I often seen packets from 192.168.0.2 trying to enter my border router(!). NAT is no security measure!
  • by PhilipPeake ( 711883 ) on Sunday July 17, 2005 @12:52PM (#13087386)
    but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?
    • by cavtroop ( 859432 ) on Sunday July 17, 2005 @12:56PM (#13087400)
      Also, try to remember that most companies IT departments are still short staffed, and pro-active monitoring like network scanning, etc. gets put way on the back burner. I agree with you, and am just playing devils advocate here :)
    • by Homology ( 639438 ) on Sunday July 17, 2005 @01:01PM (#13087428)
      but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?

      Sure, where the employer can pay for it you'll have very good administrators, be it Windows or not. On most smaller sites, the administrator is not a full-time administrator, and is doing administration ad-hoc to his real job. This usually means that he does not have much training in this, nor much time for it either. Now, with all these (useful) Plug-and-Play devices you are bound to have some problems.

    • Not so simple - a place I worked for (a large telco) tried shutting down all non-approved systems. You know what happened? A large number of departments came to a screeching halt as so many depended on non-approved in-house servers etc and everything was quickly re-activated. Security doesnt come at the expense of line of business activities - its the LOB that produces the income. Any IT manager that decided that the company could lose millions upon millions in revenue because he wanted to secure the ne
      • Well... Here is my attitude towards the whole thing... Sudden enforcement is generally a problem for reasons you mention.

        However, when you are planning or deploying your network, it makes sense to add filters to nearly all routers (a standard filter set) which allows you to monitor for certain types of common misconfigurations and problems. This can be largely automated so you don't have to dedicate a large amount of manpower to reading and parsing through logs. Ideally such a router management infrastructure would require very little overhead to manage.

        When something turns up, you need to investiate it. Find out what is going on. If it is an in-house server some department is running, find out what it is doing, discuss what needs to be done about it, and find out what you can do to add the required functionality to your server infrastructure (one possibility is to grant the department some level of approval in operating the server if it is important to the business).

        Security exists in a balance with LOB requirements. Heavily pushing one or the other side is a recipe for business failure.
  • static dhcp ? (Score:4, Interesting)

    by maharg ( 182366 ) on Sunday July 17, 2005 @12:54PM (#13087389) Homepage Journal
    the best solution I have seen is where you have to register your equipments MAC address, then you get a "static" (i.e. always the same) ip address served to you via dhcp. No registered MAC address == no ip address. Presumably they had something looking for unregistered MAC addresses too. Pretty good, but doesn't stop you going in with a static address in the right range tho...
    • Each box that is supposed to be on the network has its MAC set to a fixed address.

      Then a special range is set up that isn't able to access crap that is assigned to all new devices that aren't in the dhcpd.conf.

      Any problems with that?
    • Could it eventually be the case that it's more secure to have wifi than ethernet due to the inbuilt security features in wifi?

      Registration of MAC addresses sounds pretty secure but couldn't one plug a switch in between 2 authorised devices and packet-sniff until a MAC address was found? (forgive me if this is stupid, I'm a security noob)
      • Re:static dhcp ? (Score:3, Informative)

        by cortana ( 588495 )
        802.1x [wikipedia.org]
      • Re:static dhcp ? (Score:3, Informative)

        by Randseed ( 132501 )
        Not really. WiFi is always going to be inherently less secure than the equivelent implementation on a physical, wired line because of the nature of radio communications. Anyone within range can intercept it.

        As for WiFi's security, it's flawed, and slows down attackers rather than stopping them. WEP can be broken relatively easily, and hiding your SSID doesn't save you either contrary to what some people might think.

        The real way to handle WiFi security is to open a VPN with strong encryption to your rou

    • Pretty good, but doesn't stop you going in with a static address in the right range tho...

      How is this "pretty good" then? It would take someone with access to a network port 2 seconds to find out your subnet information and would take them another 2 seconds to skip DHCP completely and put an address in manually. Even worse, they could add your entire subnet to the list of IP addresses on the system and cause IP address collisions with every host on your network.

      Before anyone implements this suggestio
    • nice idea, and it slows people down. give me 5 minutes, ethereal, and iwconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect.
    • nice idea, and it slows people down. give me 5 minutes, ethereal, and ifconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect. My university's wireless has no restricitions, but maps client IPs to a heavily restricted subnet (you can pull down the "welcome to our wireless network" information page, and that is /it/). If you want out of that subnet, you have to use a vpn client to get a "real", full-functional IP. There are ways around that, too, b
      • nice idea, and it slows people down. give me 5 minutes, ethereal, and ifconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect

        Combine it with reactive measures like turning off the switch port attached to abusive hosts and it's pretty damn good.

    • Re:static dhcp ? (Score:3, Informative)

      by mcowger ( 456754 )
      Sure it does, if you design the system around the VLAN capability of your switches. I worked once at small University that had done just that, where their network registration system would move your MAC address around in VLANs upon registration.

      Only way around it was to spoof your MAC with a known good one that you knew was offline, because as soon as it cmae online, you would be booted off due to the conflict.
  • by Sv-Manowar ( 772313 ) on Sunday July 17, 2005 @12:56PM (#13087399) Homepage Journal

    This article raises the issue of internal network security, which is something that's been increasing in profile as a security risk over the past few years as ethernet/wifi enabled devices get smaller, cheaper and easier to hide. However, this article's specific Cisco approach to dealing with things by tracking them back through routers and cisco-specific tools seems to be of less use than more general scanning and identification measures.

    It's safe to say a good proportion of administrators already on networks with devices migrating on and off at will already have a consideration for these problems, and the specific approach detailed in the article may not be of best use to those less experienced admins starting to tackle this issue on their networks.

  • DHCP fun (Score:5, Funny)

    by flinxmeister ( 601654 ) on Sunday July 17, 2005 @12:57PM (#13087402) Homepage
    if you don't run DHCP, a fun project is to throw a DHCP server out there and see who gets configured.

    It's amazing all the little devices that show up. Switches, old print servers, workstations tucked away in a corner somewhere that time forgot....now that many of these networks are starting to push 10 years, it's like archeology.

    Every now and then you find something that you just can't physically find. Lotsa fun.
    • Re:DHCP fun (Score:5, Funny)

      by bersl2 ( 689221 ) on Sunday July 17, 2005 @01:05PM (#13087445) Journal
      Every now and then you find something that you just can't physically find. Lotsa fun.

      Obligatory bash.org [bash.org] quote:

      <erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
    • Re:DHCP fun (Score:3, Interesting)

      by Shadow_139 ( 707786 )

      This happened in Trinity College [www.tcd.ie] a few years ago, there were a few old AS400 Servers the Admins had forgotten about till one crashed and kill 3 of the main backend Databases with were running on them.

      After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall t

      • Re:DHCP fun (Score:3, Informative)

        by Anonymous Coward
        After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall that had been put in...?!!??!

        Strangely enough, the exact same thing happened at UNC-CH, except it was a Netware 3.12 server. And it happened at MIT, except it was an RS/6000, and at CWRU it was a SCO Uni
        • Re:DHCP fun (Score:4, Insightful)

          by autocracy ( 192714 ) <slashdot2007@sto ... m ['emo' in gap]> on Sunday July 17, 2005 @01:44PM (#13087641) Homepage
          Or... "not unsurprising?"

          Age old machines that just run and are scattered around without sense can certainly fall to that. What about Sun and losing a major chip fab machine? Turned out some recently departed developer's desktop ran something that was critical to operations, but was formatted after he left. I'm off on the details as to what purpose it fulfilled, but its disappearance was noted at the executive (CIO) level because of its disturbance to the company's operations. Whoopsie?

        • Re:DHCP fun (Score:3, Interesting)

          by rbarreira ( 836272 )
          can you say "Urban Legend?"

          Yes [freeserve.co.uk] (there are better references on this but I couldn't locate them...)
        • Re:DHCP fun (Score:2, Informative)

          by suitepotato ( 863945 )
          At one insurance company I worked for, it was no urban legend. Some remodelling was done and the access to a basement room where some test servers were set up was blocked by renovation materials and the renovation completed but the excess materials left stacked. Several years later of employees walking past the stacked supplies every day, a network check got some people curious and after nowhere else could be found with anything unaccounted for, a building map showed a room where most had forgotten there wa
      • See, if they were running Windows 98 they would never have lost the servers - they'd've had to walk over to reboot them every 47 days. That they would have gone insane trying to keep the database up is just the kind of side effect you hear at 100wpm at the end of a Pfizer commercial ;)
  • by techno-vampire ( 666512 ) on Sunday July 17, 2005 @01:00PM (#13087425) Homepage
    Are there really companies out there that still don't have a policy about not hooking up private equipment to the LAN without permission? Are there even any that let you run your own server on their LAN without aking? I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment and has a right to say how it gets used, and what traffic is premitted. Anybody adding private equipment or running an unauthorized server has to know they're violating company policy, and can expect to be fired when it's discovered. The best way to keep it from happening a second time is to make sure everybody knows just why the fsckwit got canned.
    • The problem with tough security policies is when politics comes into play. No company will fire their top sales guy or their best programmer for a network security violation, unless it caused catastrophic damage. When someone is discovered to be running an unauthorized server or access point, especially if they didn't necessarily know it was running, the most that can really happen is for IT to remove it and warn the person not to do it again. A well-protected network should include monitoring for this sort
      • When someone is discovered to be running an unauthorized server or access point, especially if they didn't necessarily know it was running, the most that can really happen is for IT to remove it and warn the person not to do it again.

        Now that's a good point. My post was made assuming that whoever had the unauthorized stuff on the LAN knew about it. Yes, if it's a matter of carelessness or a piece of misconfigured software, that shouldn't be a firing offense, and I doubt it would be. But knowingly setti

        • Now that's a good point. My post was made assuming that whoever had the unauthorized stuff on the LAN knew about it. Yes, if it's a matter of carelessness or a piece of misconfigured software, that shouldn't be a firing offense, and I doubt it would be. But knowingly setting something like that up, espcially if there's a policy forbidding it should have you out the door so fast your head spins.

          I am not 100% sure that this will always be a winning strategy. I have generally taken the position that one sho
    • > Are there really companies out there that still don't have a policy about not hooking up private
      > equipment to the LAN without permission?

      Yep; lots of them.

      > Are there even any that let you run your own server on their LAN without aking?

      Yep ;>

      > I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment
      > and has a right to say how it gets used, and what traffic is premitted.

      True. But where most people look at you funny if you walk into their house
      • You also see this in growing companies.

        At what point do you need a sane LAN policy?

        Yes, I know its a good idea from the beginning, but it doesn't always work like that.

        Many small through mid-sized businesses *still* only use a couple of out-dated Win95 machines for secretaries, and rely upon paperwork for everything else!

        I was shocked when a couple of friends and I started wondering around the *largest* industrial park in the midwest (located outside chicago), offering our services fixing systems (this
        • Not even every *large* company is at the top of their game, IT-wise, and these aren't failing Korean megaliths; these are succesful, highly profitable corporations.

          What this says to me is that a well executed IT plan, while useful, is not critical to line of business apps in most companies. That is, until some worm trashes the network. Translation: a minimally competent IT staff doing enough to fend off disaster is all these companies often need. Anything more is likely viewed as a waste and is primaril

    • At the last large company I worked at, I was allowed to bring in my personal laptop and plug it into the network. They were also pretty permissive about running IIS, Apache, you name it, on our workstations. However, it was pretty funny to watch everyone get Code Red.....
      • They were also pretty permissive about running IIS, Apache, you name it, on our workstations. However, it was pretty funny to watch everyone get Code Red.....

        Why do I get the impression there's a cause/effect relationship here?

  • Tight Network (Score:4, Informative)

    by tburt11 ( 517910 ) on Sunday July 17, 2005 @01:04PM (#13087439)
    I maintain a relatively small network of about 50 workstations and about two dozen other devices.

    I distribute IP's thru DHCP, and I maintain an ACL via IPTABLES on my Linux router. DHCP distributes IP's based on MAC accress, and I do allow unknown MAC's to get an IP.

    The trick is, that any IP that I did not setup in DHCP, is blocked via the ACL to all Internet Access.

    Invariably, I get some VP/EXEC/VIP, call me and ask why his visiting sales rep cannot access his email. I walk into the office and the fellow has jacked into my network.

    My reply is Sorry.. You can use our WLAN for internet access. No jacking into the network.

    The WLAN is connected outside the firewall, so whatever they do there is of no concern to me.

    Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...

    • Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...
      How can you be so sure about that ?
      • Right. Not like I can set the MAC address on a WIFI router or anything...

        In this case, just like in others, you are relying largely on security through obscurity to provide for your network needs.

        I think that everyone should attempt to conduct an annual security audit of their network, including checking out wireless signals, portscans of all machines on the network, etc. and a detailed review of security plans to make sure that it is still optimal.
  • heh (Score:3, Interesting)

    by Renraku ( 518261 ) on Sunday July 17, 2005 @01:07PM (#13087458) Homepage
    I think I've heard it called 'treasure hunting' before. Especially at places with huge IT departments in the building that just can't seem to find somethings that are taking a few IPs. Usually it ends up being a laptop in someone's bag hitting the internet, or a WAP in an abandoned office is serving warez to someone in the building next door.
  • by Ed Almos ( 584864 ) on Sunday July 17, 2005 @01:07PM (#13087459)
    Unplug unused network points.

    Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result.

    If you want to take this further then use managed switches and assign each port in use to a specific MAC address. That way if a 'visitor' pulls the plug on one of your computers and plugs their machine there will still be a nil result.

    Ed Almos
    Budapest, Hungary
  • by Anonymous Coward on Sunday July 17, 2005 @01:14PM (#13087493)
    Apparently, kids drive around with laptops looking for open network closets. These fuckers plugged in a cat5e into my switch and started leeching bandwidth for all their friends. I've recommended that my neighbors start locking their doors and change keys often just in case. Also, if you notice any unexplained cat5 going out doors into the back yard, you should investigate.
  • by pe1chl ( 90186 ) on Sunday July 17, 2005 @01:32PM (#13087568)
    For many years, I have been running some simple scripts on a machine on the network that regularly reads out switch MAC tables using snmp. I also read router ARP tables this way.
    The result can be read from a webserver. IP address, MAC address, swichport and hostname are all conveniently grouped on a line.
    Knowing which switchport it is on, looking in the patch cabinet, I know on which wallsocket a suspicious device is, and a chart on the wall shows me in which room it is.

    Of course the routers have access lists so invalid network addresses aren't routed, and the DHCP server checks if a hostname conforms to the company convention before assigning an address,
    Plugging in your home laptop yields you an alarm, not an address.
  • by presarioD ( 771260 ) on Sunday July 17, 2005 @01:58PM (#13087708)


    how wonderfully clandestine public PR industry operatations are nowdays:


    For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tech _protocol_home.html [cisco.com]

    Hmmmmmmmm... and the ./ editors will be the first ones to bite.
  • 'Whats On Your Network?' is a good question that should have been asked of the resnet techs at my university. Getting on the school network is automated for all computers with a browser, but other hardware-based network equipment must have its MAC registered manually. Needless to say, resnet doesnt actually enjoy it. One time, some moron plugged the ethernet cable from the wall into a LAN jack rather than the WAN. Kids' computers were sending DHCP requests out, receiving two responses, and dragging the
  • Whats on my network? (Score:2, Informative)

    by jesser ( 77961 )
    I'm pretty sure there are no Whats on my network.
  • cripes, people. This is a two-part problem. One, the process issue, deals with how you manage physical port assignment. Two, the technical issue, deals with how you enforce the process. This is most easily done with some form of port security. Map the MAC to the physical port and lock it down. Then disable all the unused ports, and you're set.

    gods, you'd think this was a difficult issue...
  • by mav[LAG] ( 31387 ) on Sunday July 17, 2005 @04:37PM (#13088621)
    ..the BOFH excuse server [yoyo.org]. The random answer it gave me was singularly appropriate although unhelpfully honest:

    your excuse: because of network lag due to too many people playing deathmatch
  • by eno2001 ( 527078 ) on Sunday July 17, 2005 @04:51PM (#13088684) Homepage Journal
    ...wrong audience here. Most /. readers are operating home networks. Very few of them actually have real network related jobs. They might work help desk, or be in IT management. But real network jocks have very little to do with Slashdot.
  • by nurb432 ( 527695 ) on Sunday July 17, 2005 @08:44PM (#13090000) Homepage Journal
    The very first thing you do is make sure you have no live ports just 'laying around'. If you dont have a person at a desk, its jack gets unpatched. ( or turned off at the switch )

    Secondly, you tie MAC addresses to specific ports on your switches, to help prevent people moving around without your knowledge. It also slows down people from causally swapping their company owned PC with a personal laptop. However, unlike the good old days, it wont slow down those damned wifi boxes since they can clone mac addresses easily.. But its at least a start.
  • is there a software that does the following case:

    let say that you have multiple subnets, 192.168.0.x/24, 192.168.1.x/24, until 192.168.255.x/24 where all the router ip is at the start such as 192.168.0.1 (being the default gateway of each.)

    is there something that eats up all the ip address such as a computer being a member of all the subnets? i want to prevent people from doing a static ip address (as it will result in ip address conflict). so that thing will listen for dhcp requests and will release

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...