I like the idea of using a quarantine network by default with a captive portal
assistant to permit certain levels of access if needed.. fairly easy to setup
on LAN and WiFi networks with no problem. Just depends on what you are trying
to secure- easy to set up audits with MAC tables and SNMP
I’ve got an easy way to do this, I confiscate ‘em ;)
As others have said, this is a management problem. Untrustworthy parties
shouldn’t have physical access to your trunk ports.
That said Layer 2 MAC ACLs should block everything and allow only your switches.
Also do you have lit trunk ports
How about some scripts around fail2ban, if the same account logs in
multiple times, its banning time.
Kasper
On Friday, June 8, 2018, David Hubbard
wrote:
> This thread has piqued my curiosity on whether there'd be a way to detect
> a rogue access point, or proxy server with an inside and
David,
If you are using a product like ISE/Forescout you could set up multiple layers
of device identification prior to network authorization.
For example, a user would need to spoof the results of a legitimate device to
match the results of:
-NMAP scan
-Domain machine/user Auth
-OID/MAC
etc
as already said - this can be covered with adequate processes and
management (even so far as, not doing your job right? time
for HR...). however, there are many ways to ensure that random ports arent
doing anything other than what they should be doing - most of these
are L2 security features -
Cisco ISE will accomplish this.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of segs
Sent: Thursday, June 7, 2018 3:57 AM
To: nanog@nanog.org
Subject: Application or Software to detect or Block unmanaged swicthes
Hello All,
Please I have a very interesting
Enterprise WiFi systems, such as those by HPE (Aruba) and Cisco, have built-in
rogue detection including integrated spectrum analysis. Every AP becomes a
spectrum analyzer, so the WiFi controller can detect rogue APs, identify
whether or not they’re physically connected to your network, and
There are a few options.
1. Most likely it will leak information (STUN, NAT-PMP, etc.).
2. You could look obvious signs of NATted traffic. (e.g. re-use of the same
source port number to different destinations from the box, etc.)
3. You can look at the TTL or Hop-Count on
This is one of the reasons why large organizations, such as the ones you
describe, have both portable spectrum analyzers (covering the 2400 range
and 5150-5850 MHz 802.11(whatever) bands), and also ability to hunt for MAC
addresses of wifi devices that don't match known centrally managed APs.
Even
This thread has piqued my curiosity on whether there'd be a way to detect a
rogue access point, or proxy server with an inside and outside interface?
Let's just say 802.1x is in place too to make it more interesting. For
example, could employee X, who doesn't want their department to be back
I guess you can do that and more with a linux based switch like cumulus and
pica8.
They allow you to do all sorts of things like that because they are open.
On Thursday, June 7, 2018, wrote:
> In my previous life, we used a nac appliance from Bradford Networks
> whereby the mac address of
In my previous life, we used a nac appliance from Bradford Networks whereby the
mac address of every device needed to be registered or the switch port it was
plugged into would be disabled.
This kept spurious devices from appearing on the network and worked quite well.
Cheers, Keith
Sent from
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a
Layer-2 collection feature that identifies the number and MACs of devices on
any given switch port. We export this list and cull out all the known managed
switch links. Anything remaining that has more than one MAC
As someone already stated the obvious answers, the slightly more difficult
route to be getting a count of allowed devices and MAC addresses, then moving
forward with something like ansible to poll the count of MAC’s on any given
port ... of number higher than what’s allowed, suspend the port
On 7 June 2018 at 04:57, segs wrote:
> Hello All,
>
> Please I have a very interesting scenario that I am on the lookout for a
> solution for, We have instances where the network team of my company bypass
> controls and processes when adding new switches to the network.
>
> To put a finer point
On Thu, Jun 7, 2018 at 3:57 AM, segs wrote:
[snip]
> Please I have a very interesting scenario that I am on the lookout for a
> solution for, We have instances where the network team of my company bypass
> controls and processes when adding new switches to the network.
The NETWORK management
segs wrote on 07/06/2018 09:57:
Is there a solution that can detect new or unmanaged switches on the
network, and block such devices or if there is a solution that block users
that connect to unmanaged switches on the network even if those users have
domain PCs.
this is really an enterprise
Hello All,
Please I have a very interesting scenario that I am on the lookout for a
solution for, We have instances where the network team of my company bypass
controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches
18 matches
Mail list logo