What's On Your Network? 188
An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."
Company policy enforcement? (Score:2)
I know of many (perhaps most) large corperations have incorporated strong policies regarding what an employee can plug into a network. Does this help the problem with unwanted 'network use' or do the policies get ignored?
Re:Company policy enforcement? (Score:3, Insightful)
Plugging other machines that are non-Windows is not likely to create near as many problems. The exception to that would be wifi that is not properly secured (default settings).
It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.
And company policy will not stop that anyway.
Re:Company policy enforcement? (Score:2, Troll)
Re:Company policy enforcement? (Score:4, Informative)
FUD. NFS has its uses. Just don't let untrusted (i.e. generally used desktops, etc) have direct access to it.
The better solution is to use NFS as a fast setup for sharing disk space between a number of servers (say, for load balanced web servers running CPU-bound scripts) and read-only NFS for home directories with read-write AFS subdirectories (via symlinks?) used for anything important (things have to be done this way because AFS cannot be accessed during the login process due to credential issues).
NFS is not an *automatic* security problem. It is just a *likely* security problem.
Re:Company policy enforcement? (Score:2)
Re:Company policy enforcement? (Score:2)
Read only NFS is a good way to get around the limitations inherent in AFS, however, which was my main point.
r/w NFS is somewhat dangerous, especially if it is used in an environment where anyone can use any arbitrary computer system that they bring in from home. If you get someone's UID, you can alter your
But if you use it primarily as a content serving mechan
Re:Company policy enforcement? (Score:2)
Good for you, but again the point is that you need some sort of MAC or port security to really do this.
Otherwise it's the same argument as the Windows guy who patches routinely but gets attacked by the random consultant laptop.
Re:Company policy enforcement? (Score:2)
about 1986.)
On further research, incorrect but certainly not 100% bullshit. Most of the information I had was outdated based on deployments made out of concerns of supportability.
The problem occurs when AFS and MIT Kerberos are used on the same network. kinit can only talk
Re:Company policy enforcement? (Score:2)
Plugging in anything without a compentent admin can create problems. The hordes of owned Linux machines banging away on ssh is proof of that. The theory is that the company hires competent people to keep the work machines secure and bans all other machines because they have no way to guarantee that the desktop jockey who wants to run his/her own machine can and will do so. It also helps with software licensing i
I'm more worried about my home network. (Score:2, Insightful)
Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whil
Re:I'm more worried about my home network. (Score:2)
Presumably by "AFP" you mean "AppleTalk" - I wouldn't expect to see Apple File Protocol traffic unless some machine is accessing a file server. Perhaps the Macs are sending some sort of AppleTalk broadcast announcements.
What sort of NetBIOS traffic are you seeing?
Re:I'm more worried about my home network. (Score:2)
Umm, WHAT? Can you elaborate? This sounds like NAT without a filter. I often seen packets from 192.168.0.2 trying to enter my border router(!). NAT is no security measure!
Re:I'm more worried about my home network. (Score:2)
Then you will, of course, see AFP "noise" on your network, although I wouldn't call it "noise" if you're intentionally using it. You might get broadcast or multicast announcements of service from the machines acting as servers.
Unlikely - Rendezvous^H^H^H^H^H^H^H^H^HBonjour [weebls-stuff.com] is, among other things, a mechanism for announcing services, so Bonjour [apple.com]-related stuff wouldn't need to u
Re:I'm more worried about my home network. (Score:2)
Or "name service" - see RFC 1001 and RFC 1002 (NetBIOS Name Service for NetBIOS-over-TCP, a/k/a "NBT", which, the name nonwithstanding, uses UDP for some functions).
That's a NetBIOS Name Service query; I'd only expect to see that if you're doing SMB mounts from an SMB server (Windows, Samba, etc.) or perhaps if you're running Samb
Re:I'm more worried about my home network. (Score:2)
It already does, but you need to run with "-vv".
Re:I'm more worried about my home network. (Score:2)
OK, that might be where the NBNS broadcasts are coming from.
Maybe this is just me... (Score:5, Insightful)
Re:Maybe this is just me... (Score:5, Insightful)
Re:Maybe this is just me... (Score:5, Informative)
Sure, where the employer can pay for it you'll have very good administrators, be it Windows or not. On most smaller sites, the administrator is not a full-time administrator, and is doing administration ad-hoc to his real job. This usually means that he does not have much training in this, nor much time for it either. Now, with all these (useful) Plug-and-Play devices you are bound to have some problems.
Re:Maybe this is just me... (Score:3, Interesting)
Re:Maybe this is just me... (Score:4, Insightful)
However, when you are planning or deploying your network, it makes sense to add filters to nearly all routers (a standard filter set) which allows you to monitor for certain types of common misconfigurations and problems. This can be largely automated so you don't have to dedicate a large amount of manpower to reading and parsing through logs. Ideally such a router management infrastructure would require very little overhead to manage.
When something turns up, you need to investiate it. Find out what is going on. If it is an in-house server some department is running, find out what it is doing, discuss what needs to be done about it, and find out what you can do to add the required functionality to your server infrastructure (one possibility is to grant the department some level of approval in operating the server if it is important to the business).
Security exists in a balance with LOB requirements. Heavily pushing one or the other side is a recipe for business failure.
Re:Maybe this is just me... (Score:3)
That would require IT security people being cooperative instead of adversarial...
Re:Maybe this is just me... (Score:2)
"No. You get what you pay for."
Which I guess actually means yes, right? Since all the Windows trolls constantly complain that no one can afford Linux admins since they "cost so much" which is supposedly why Linux TCO is higher than Windows - if you're dumb enough to believe ANYTHING Microsoft says.
static dhcp ? (Score:4, Interesting)
Perhaps a subnet just for non-assigned? (Score:2)
Then a special range is set up that isn't able to access crap that is assigned to all new devices that aren't in the dhcpd.conf.
Any problems with that?
Re:Perhaps a subnet just for non-assigned? (Score:3, Insightful)
(This is actually done relatively frequently, so I'm definitely not saying anything original here.)
Re:Perhaps a subnet just for non-assigned? (Score:2)
Redirect ALL web requests to a page that says you're an unregistered unit, contact IT, etc...
Re:Perhaps a subnet just for non-assigned? (Score:2, Informative)
Re:static dhcp ? (Score:2)
Registration of MAC addresses sounds pretty secure but couldn't one plug a switch in between 2 authorised devices and packet-sniff until a MAC address was found? (forgive me if this is stupid, I'm a security noob)
Re:static dhcp ? (Score:3, Informative)
Re:static dhcp ? (Score:3, Informative)
As for WiFi's security, it's flawed, and slows down attackers rather than stopping them. WEP can be broken relatively easily, and hiding your SSID doesn't save you either contrary to what some people might think.
The real way to handle WiFi security is to open a VPN with strong encryption to your rou
Before anyone implements this... (Score:2)
How is this "pretty good" then? It would take someone with access to a network port 2 seconds to find out your subnet information and would take them another 2 seconds to skip DHCP completely and put an address in manually. Even worse, they could add your entire subnet to the list of IP addresses on the system and cause IP address collisions with every host on your network.
Before anyone implements this suggestio
Re:static dhcp ? (Score:2)
Re:static dhcp ? (Score:2)
Re:static dhcp ? (Score:2)
nice idea, and it slows people down. give me 5 minutes, ethereal, and ifconfig, and i can find a valid MAC, spoof it, and be happily requesting my own IP -- so it is far from perfect
Combine it with reactive measures like turning off the switch port attached to abusive hosts and it's pretty damn good.
Re:static dhcp ? (Score:3, Informative)
Only way around it was to spoof your MAC with a known good one that you knew was offline, because as soon as it cmae online, you would be booted off due to the conflict.
Re:static dhcp ? (Score:2)
Could you then watch for inbound traffic whose destination inside your network is a different subnet such as one in a NAT?
Re:static dhcp ? (Score:2)
Re:static dhcp ? (Score:2)
Why not just give the NIC a new MAC? The router's not using its old one anymore.
Re:static dhcp ? (Score:2)
Re:static dhcp ? (Score:2)
Re:static dhcp ? (Score:2)
Try again
Actually, 802.1x is a pretty good idea. We use it at school to control access to the wireless network. That way when some wireless dude starts spreading viruses we can suspend all of his accounts and force him to clean his f-ing machine. (It's drastic in my mind, but
Re:static dhcp ? (Score:2)
And of course, as Marcus Ranum's article "Stupid About Software" rants, the school immediately sued them for breach of contract?
Right.
Just like City College of San Francisco required Innovative Interfaces Inc. to supply the library with an integrated library system (cost: $100K) that would retrieve student data from the SCT Banner system to determine who was registered before providing library services. The library head suppo
Interesting points but possibly too specific (Score:4, Insightful)
This article raises the issue of internal network security, which is something that's been increasing in profile as a security risk over the past few years as ethernet/wifi enabled devices get smaller, cheaper and easier to hide. However, this article's specific Cisco approach to dealing with things by tracking them back through routers and cisco-specific tools seems to be of less use than more general scanning and identification measures.
It's safe to say a good proportion of administrators already on networks with devices migrating on and off at will already have a consideration for these problems, and the specific approach detailed in the article may not be of best use to those less experienced admins starting to tackle this issue on their networks.
DHCP fun (Score:5, Funny)
It's amazing all the little devices that show up. Switches, old print servers, workstations tucked away in a corner somewhere that time forgot....now that many of these networks are starting to push 10 years, it's like archeology.
Every now and then you find something that you just can't physically find. Lotsa fun.
Re:DHCP fun (Score:5, Funny)
Obligatory bash.org [bash.org] quote:
<erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
Re:DHCP fun (Score:2)
Re:DHCP fun (Score:2)
Re:DHCP fun (Score:3, Interesting)
This happened in Trinity College [www.tcd.ie] a few years ago, there were a few old AS400 Servers the Admins had forgotten about till one crashed and kill 3 of the main backend Databases with were running on them.
After 2 months of looking for the Servers, following a jungle of Cat5,Coax and AUX leads it turned out that there was some building work done about 6 years before in an old section of the College thats not been used anymore and the Servers were hidden in a room that had been blocked off behind a new wall t
Re:DHCP fun (Score:3, Informative)
Strangely enough, the exact same thing happened at UNC-CH, except it was a Netware 3.12 server. And it happened at MIT, except it was an RS/6000, and at CWRU it was a SCO Uni
Re:DHCP fun (Score:4, Insightful)
Age old machines that just run and are scattered around without sense can certainly fall to that. What about Sun and losing a major chip fab machine? Turned out some recently departed developer's desktop ran something that was critical to operations, but was formatted after he left. I'm off on the details as to what purpose it fulfilled, but its disappearance was noted at the executive (CIO) level because of its disturbance to the company's operations. Whoopsie?
Re:DHCP fun (Score:3, Interesting)
Yes [freeserve.co.uk] (there are better references on this but I couldn't locate them...)
Re:DHCP fun (Score:2, Informative)
Re:DHCP fun (Score:2)
Re:DHCP fun (Score:2)
http://www.theregister.co.uk/2001/04/12/missing_n
I find it hard to believe (Score:3, Insightful)
Re:I find it hard to believe (Score:2)
Re:I find it hard to believe (Score:2)
Now that's a good point. My post was made assuming that whoever had the unauthorized stuff on the LAN knew about it. Yes, if it's a matter of carelessness or a piece of misconfigured software, that shouldn't be a firing offense, and I doubt it would be. But knowingly setti
Re:I find it hard to believe (Score:2)
I am not 100% sure that this will always be a winning strategy. I have generally taken the position that one sho
Re:I find it hard to believe (Score:2, Interesting)
> equipment to the LAN without permission?
Yep; lots of them.
> Are there even any that let you run your own server on their LAN without aking?
Yep
> I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment
> and has a right to say how it gets used, and what traffic is premitted.
True. But where most people look at you funny if you walk into their house
Re:I find it hard to believe (Score:2)
At what point do you need a sane LAN policy?
Yes, I know its a good idea from the beginning, but it doesn't always work like that.
Many small through mid-sized businesses *still* only use a couple of out-dated Win95 machines for secretaries, and rely upon paperwork for everything else!
I was shocked when a couple of friends and I started wondering around the *largest* industrial park in the midwest (located outside chicago), offering our services fixing systems (this
Re:I find it hard to believe (Score:2)
Not even every *large* company is at the top of their game, IT-wise, and these aren't failing Korean megaliths; these are succesful, highly profitable corporations.
What this says to me is that a well executed IT plan, while useful, is not critical to line of business apps in most companies. That is, until some worm trashes the network. Translation: a minimally competent IT staff doing enough to fend off disaster is all these companies often need. Anything more is likely viewed as a waste and is primaril
Re:I find it hard to believe (Score:2)
Re:I find it hard to believe (Score:2)
Why do I get the impression there's a cause/effect relationship here?
Re:I find it hard to believe (Score:2)
I don't know; I've never tried. There are a lot of ways to use a network without putting up an unauthorized server, or bringing your private laptop in and hooking it up. If you really need to do either of those, ask for permission. If there's a good reason, you should be able to get it, provided you take proper precautions. But nobody should be allowed to hook things up without telling a
Re:I find it hard to believe (Score:2)
Many IT admins will say you cannot use Firefox on their Network, or a non-Windows 2000 box (even XP, or Mac, or Linux), because they aren't secure.
When you have IT admins living in the darkages breaking the rules sometimes can be the difference between getting the job done and failing miserably.
Also, when the people violating the rules out-rank the people running the IT department breaking the rules mainly just gets you nasty looks rather than canned.
If its nasty looks versus getting
Re:I find it hard to believe (Score:2)
Re:I find it hard to believe (Score:2)
Tight Network (Score:4, Informative)
I distribute IP's thru DHCP, and I maintain an ACL via IPTABLES on my Linux router. DHCP distributes IP's based on MAC accress, and I do allow unknown MAC's to get an IP.
The trick is, that any IP that I did not setup in DHCP, is blocked via the ACL to all Internet Access.
Invariably, I get some VP/EXEC/VIP, call me and ask why his visiting sales rep cannot access his email. I walk into the office and the fellow has jacked into my network.
My reply is Sorry.. You can use our WLAN for internet access. No jacking into the network.
The WLAN is connected outside the firewall, so whatever they do there is of no concern to me.
Yes, there are flaws in this method, but so far, it has brought every unathorized network connection to my attention...
Re:Tight Network (Score:2)
Re:Tight Network (Score:2)
In this case, just like in others, you are relying largely on security through obscurity to provide for your network needs.
I think that everyone should attempt to conduct an annual security audit of their network, including checking out wireless signals, portscans of all machines on the network, etc. and a detailed review of security plans to make sure that it is still optimal.
heh (Score:3, Interesting)
A Simple Security Precaution (Score:5, Informative)
Three months ago we had a security audit carried out by an external company. The first thing they did was find a couple of unused offices and plug their laptops into the network points. I'm glad to say that there was no result.
If you want to take this further then use managed switches and assign each port in use to a specific MAC address. That way if a 'visitor' pulls the plug on one of your computers and plugs their machine there will still be a nil result.
Ed Almos
Budapest, Hungary
I had to start locking my house doors (Score:4, Funny)
Re:I had to start locking my house doors (Score:3, Funny)
Well how did these "fuckers" get in in the first place?
Through the CAT-5e flap?
Re:I had to start locking my house doors (Score:2)
Do some mapping before it is too late (Score:3, Interesting)
The result can be read from a webserver. IP address, MAC address, swichport and hostname are all conveniently grouped on a line.
Knowing which switchport it is on, looking in the patch cabinet, I know on which wallsocket a suspicious device is, and a chart on the wall shows me in which room it is.
Of course the routers have access lists so invalid network addresses aren't routed, and the DHCP server checks if a hostname conforms to the company convention before assigning an address,
Plugging in your home laptop yields you an alarm, not an address.
Re:Do some mapping before it is too late (Score:2)
(unfortunately the match syntax does not allow regular expressions, but it does have 'and' and 'or' so we just add up a lot of checks)
This is done using ISC DHCPD.
This article is brought to you by Cisco(TM)... (Score:3, Insightful)
how wonderfully clandestine public PR industry operatations are nowdays:
For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tec
Hmmmmmmmm... and the
Re:This article is brought to you by Cisco(TM)... (Score:2)
Here *kneeling down and extending the neck*. I surrender to the grammar nazis. Please be swift and painless...
Re:This article is brought to you by Cisco(TM)... (Score:2)
Since when exposing a PR stunt is considered negative comment?
Why did you post a reponse anonymously?
Big hug and kisses!
Sometimes, DHCP sucks (Score:2, Interesting)
Whats on my network? (Score:2, Informative)
oh good lord (Score:2)
gods, you'd think this was a difficult issue...
Re:oh good lord (Score:2)
Seriously, this problem is almost entirely a process issue, not technical.
Time to fire up... (Score:3, Funny)
your excuse: because of network lag due to too many people playing deathmatch
Ummm... (Score:3)
Re:Ummm... (Score:2)
Security starts at the closet (Score:3, Insightful)
Secondly, you tie MAC addresses to specific ports on your switches, to help prevent people moving around without your knowledge. It also slows down people from causally swapping their company owned PC with a personal laptop. However, unlike the good old days, it wont slow down those damned wifi boxes since they can clone mac addresses easily.. But its at least a start.
a possible solution? (Score:2)
let say that you have multiple subnets, 192.168.0.x/24, 192.168.1.x/24, until 192.168.255.x/24 where all the router ip is at the start such as 192.168.0.1 (being the default gateway of each.)
is there something that eats up all the ip address such as a computer being a member of all the subnets? i want to prevent people from doing a static ip address (as it will result in ip address conflict). so that thing will listen for dhcp requests and will release
Re:Wouldn't Static IP's limit the problem? (Score:3, Informative)
Short answer: no.
Just having static IP addresses isn't enough. Actually, even the pseudo-static DHCP (via MAC address) is "good enough" but also vulnerable to exploit by manually setting the MAC address of the alien network interface to one that is allowed to get an IP (there's more complexity to doing that, but suffice it to say it can be done).
To answer your question: if your network relies solely on the IP address on some guys work
Welcome to Slashdot. Home of the insensitive clod. (Score:2)
Re:Welcome to Slashdot. Home of the insensitive cl (Score:2, Funny)
Clearly this is a very effective way to improve the security on the networks around the world... ah, pardon the pun, I mean the Job Security for our dear paid up members of the Network Security Guild.
Re:Welcome to Slashdot. Home of the insensitive cl (Score:2)
Re:Thank you, Dr. Obvious (Score:2)
Beyond setting up for a lan party, that was all the networking savvy I wanted as a developer. Problem is they went off and right-sized the IT folks who would handle that sort of thing. I just got done setting up a Solaris box - and other than running patchadd and googling through the network config - I have no clue what else is running with a 'normal' Solaris 8 install. Not even sure how to check what ports are listening. All that has v
Re:ridiculous article, company LAN = filtered (Score:2)
To take care of TCP blocking, just make a home webserver, and encapsulate everything in bla bla bla . This simple tactic gets past dumb content filters that look for webpages only. Better if you encrypt "bla bla bla" in some non-cpu intensive computation.. Perhaps XOR with a shared key.
To get around UDP blocking, well.... if the company doesnt have a domain server set up, usually 53 is allowed in/out. Just change ports appropiately to that one. If they DO
Porn Sites hurt Feelings. (Score:5, Insightful)
You apparently do not live in the U.S. You see, here we have these things called laws that are written and voted upon by hairless monkeys that are given offices by people that can't be bothered to read and vote on these "laws" themselves.
Some of these "laws" revolve around personal opinion and human emotions known as "feelings." They state that if you do something that hurts someone elses "feelings" you will go to jail and have to give them a lot of money.
This has caused a rash outbreak of people "sniping" or hiding out in bushes that sometimes decorate offices and awaiting an unsuspecting employee to briefly brush past a site holding pornographic material. Google.com is a good example. In this instant they leap from the previously hidden sniping bush and proclaim that the barest hint of an unclothed nipple has hurt their "feelings"
This results in a winning lawsuit in which the unknowing employee receives a new boyfriend at the same time that he is given to the sniper as a money slave for the rest of his life. Sometimes it even results in the closing of an entire company and results in a rise in unemployment which these people called "taxpayers" really have something against.
A couple of years ago something that looked almost like a nipple, but clearly wasn't, caused a major change in the entire U.S. broadcasting industry because of all the people whose "feelings" the wardrobe malfunction had caused to be hurt.
This has caused companies to be very careful about keeping anything that could possible hurt "feelings" out of their offices and off of their computers. Where I work, we usually just leave the computers turned off ....
More like "sexual harassment" (Score:2)
This has caused a
What case was that? (Score:2)
Honestly, so much of this liability paranoia is such crap it boggles the mind that people actually believe it. Sure, if someone is doing something illegal, the company may be questioned and asked for assistance by the authorities, but that's a far cry from "Sometimes it even results in the closing of an entire company and results in a rise in unemployment w
Re:a quality of service (QOS) device can fix this (Score:2)
For example, limit bandwith for Quake to 500bps or less. Just enough that they can seem to start but can't effectively play the game. Combined with something like IPTables, one could even do something like drop packets for Quake above a certain size, making gameplay both impossible and annoying.
Of course I don't see how this helps people be productive at work. Just plain old IPTables can do all this, log details, and provide good monit