Re: [LARTC] Personal Firewalls
>However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which >IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by >arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or >follow the cable to the physical computer location. Just reporting back on how this went. The above worked beautifully and the suspect PC has been identified. Two puzzling aspect which I hope the list will throw some light on is: 1. The ipconfig /all command on Windows returns the description of the NIC with company A but the MAC address contains the code for company B according to OUI scheme. http://standards.ieee.org/regauth/oui/oui.txt Is this an industry practice? Both IP and MAC addresses match that of the investigated computer. 2. Our proxy access logs show that sites C and D were heavily accessed. The browser history shows site shows D being accessed but not a trace of access to C. I am suspecting an ftp server being used. Thanks in advance for the help. alfred, -- Perl - "... making the easy jobs easy, without making the hard jobs impossible." 'The Camel', 3ed ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Thank you for these pointers. These options will be explored. alfred, khurram sohaib wrote: You can use Iptraf to monitor traffic, for further restrictions you can use dhcp with mac address and add those address in your forward, filter options in Iptables. this will solve your problem. if you need the further help for this, please let me know. khurram Message FROM KHURRAM SOHAIB. >From: Alfred Vahau <[EMAIL PROTECTED]> >To: lartc@mailman.ds9a.nl >Subject: [LARTC] Personal Firewalls >Date: Mon, 10 Jan 2005 13:22:44 +1000 > >Hello, >Our ISP provides a firewall and NAT services for our Intranet. >However, within the Intranet, there appear to be personal firewalls >around some anonymous PCs. The IP addresses of these PCs can >be detected by our network monitoring tool. > >The identity of the user however remains anonymous. > >Are there any tools that can be used to penetrate the personal >firewall >and reveal the identity of the users? All our IP addresses fall >within >specific ranges and the existence of these addresses are against the >policies on computer usage. > >Thanks for any pointers, > >Alfred Vahau >IT Services >Uni. PNG > > > > > >-- > > >___ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: >http://lartc.org/ -- Perl is my reason for following the Sun; ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Peter Surda wrote: Alfred Vahau wrote: Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. Aha, so you suspect malicious intent and not only accidental behaviour. In that case you shouldn't expect that some other internal information found on the problematic computers is valid either. We have not dismissed malicious intent. However, the chances of it happening is quite remote. Rather the fight is against network abuse. In line with the core objectives of our institution, there are sites which are defined as unproductive. It is the access to these sites for which strange ip addresses spring up, some of which are within our IP range, for which the logs do not provide very much information on the identify of the user. However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or follow the cable to the physical computer location. Thanks for this pointer. This option looks viable and will pursue this. alfred, Yours sincerely Peter Surda alfred, ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Perl is my reason for following the Sun; ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
We don't use a DHCP server but maybe it's an option that needs to be looked into. Alfred, Alfred, David Hough wrote: On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote: Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. It sounds as though you need a script tied in with your DHCP server so that only recognised MAC addresses get given IP addresses and only those addresses currently allocated get access via the firewall. -- ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Alfred Vahau wrote: Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. Aha, so you suspect malicious intent and not only accidental behaviour. In that case you shouldn't expect that some other internal information found on the problematic computers is valid either. However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or follow the cable to the physical computer location. alfred, Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. alfred, Peter Surda wrote: Alfred Vahau wrote: All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. In that case it's easy. Block their network access on the router and wait until they contact you :-) Alfred Vahau IT Services Uni. PNG Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote: > Thanks for the reply. This is the practice at present. We block off one > IP and another pops up. > At times, quite a few of them appear. We suspect that some of these guys > are disgruntled ex-employees > who have unauthorized access or are accessing the network with the help > of other staff. It sounds as though you need a script tied in with your DHCP server so that only recognised MAC addresses get given IP addresses and only those addresses currently allocated get access via the firewall. -- Dave So many gadgets, so little time http://www.llondel.org/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Personal Firewalls
Alfred Vahau wrote: All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. In that case it's easy. Block their network access on the router and wait until they contact you :-) Alfred Vahau IT Services Uni. PNG Yours sincerely Peter Surda ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Personal Firewalls
Hello, Our ISP provides a firewall and NAT services for our Intranet. However, within the Intranet, there appear to be personal firewalls around some anonymous PCs. The IP addresses of these PCs can be detected by our network monitoring tool. The identity of the user however remains anonymous. Are there any tools that can be used to penetrate the personal firewall and reveal the identity of the users? All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. Thanks for any pointers, Alfred Vahau IT Services Uni. PNG -- ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
