On Fri, 26 Aug 2005 09:32:31 -0500
Graham Wilson <graham (at) mknod (dot) org [email concealed]> wrote:
>
> > Is there a scanning tool out there that can determine if there are
> > unauthorized Linksys (type) routers in a specific VLAN?
I assume you have not port-locked your switches? Many managed Layer-2
switches can do that. Only allow 1-2 IP addresses per port and
auto-shutdown those exceeding this limit. This way you have an
automatic, continuously running monitoring (and self-punishment) of
people connecting rogue switches/routers. Plus you know where (on which
plug) to search for the system. Won't detect NAT-masquerading routers
that have their external interface connected to LAN, though.
A purely passive approach would be to use ARPWATCH and filter out all
known MAC address headers. Easy if you have a homogenous network (e.g.
all PCs are Dell), a PITB of you are a wild mishmash (open pool at
university or LAN party). You even can run this from a CRON job. And if
you're really, really thorough you could inventarize all your PCs
(semi-automatically) and have an alert for each new MAC address that pop
up.
For a scan you could run arpwatch and then ping all hosts using nmap
(assuming that your network is 192.168.1.*/24 in this example):
# nmap -sP 192.168.1.0/24
Depending on your network architecture you might want to slow that down
with
# nmap -T polite -sP 192.168.1.0/24
Arpwatch will do the job of collecting all ARP addresses for you.
On Fri, 26 Aug 2005 09:32:31 -0500
Graham Wilson <graham (at) mknod (dot) org [email concealed]> wrote:
>
> > Is there a scanning tool out there that can determine if there are
> > unauthorized Linksys (type) routers in a specific VLAN?
I assume you have not port-locked your switches? Many managed Layer-2
switches can do that. Only allow 1-2 IP addresses per port and
auto-shutdown those exceeding this limit. This way you have an
automatic, continuously running monitoring (and self-punishment) of
people connecting rogue switches/routers. Plus you know where (on which
plug) to search for the system. Won't detect NAT-masquerading routers
that have their external interface connected to LAN, though.
A purely passive approach would be to use ARPWATCH and filter out all
known MAC address headers. Easy if you have a homogenous network (e.g.
all PCs are Dell), a PITB of you are a wild mishmash (open pool at
university or LAN party). You even can run this from a CRON job. And if
you're really, really thorough you could inventarize all your PCs
(semi-automatically) and have an alert for each new MAC address that pop
up.
For a scan you could run arpwatch and then ping all hosts using nmap
(assuming that your network is 192.168.1.*/24 in this example):
# nmap -sP 192.168.1.0/24
Depending on your network architecture you might want to slow that down
with
# nmap -T polite -sP 192.168.1.0/24
Arpwatch will do the job of collecting all ARP addresses for you.
Bye
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists (at) wyae (dot) de [email concealed] PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
[ reply ]