| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E9A72B19EC7A9F44B7CF43BBB1DA4F3B045FDF@fwexchsvr01.texpac.com> Date: Mon Jul 11 23:40:08 2005 From: BFetch at texpac.com (Fetch, Brandon) Subject: how to bypass rogue machine detection techn iques I was going to suggest the same thing. There are methods of configuring (Cisco) switches to have their default VLAN be an innocuous network that's boxed in and/or be prompted with a default login or proxy page to allow packets to pass. More specifically - the port is 'VLAN authenticated' and made a member of the correct VLAN based upon the provided & verified credentials/role. Cisco NAC & their 'Self Defending Network' propag..er marketing material. ;-) (may wrap) http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutio ns_package.html Unfortunately I'm not too familiar with what else exists for non-Cisco networks/switches but it comes down to stopping any potential client/node from illicitly transmitting across your wire/frequency to cause problems from the beginning. But we were talking about detecting rouge machines... Put a bunch of mirrors around the office to show how silly a machine looks in rouge? :-) HTH, Brandon -----Original Message----- From: Devdas Bhagat [mailto:devdas@....homelinux.org] Sent: Monday, July 11, 2005 4:16 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] how to bypass rogue machine detection techniques On 12/07/05 00:55 +0530, Gaurav Kumar wrote: > thanks a lot everybody. Spelling in subject corrected. > > now i am just wondering if the detection technique can be integrated > at the switch level. for example, one software can connect to switch > via ssh, and collect the ipaddress information of the machine trying > to plug in to the network, as soon as we detect this machine, we can > connect to it to test whether its a part of trusted domain/network or > not. > You would need to trigger the scan when the host is plugged into the switch. The device also needs to respond to an ARP request of some sort. What happens if I plug in a dumb hub into the switch, and then a laptop with no IP address on the NIC and ARP disabled into the hub? Keep in mind that switches are designed to fail open, so I just need to flood the switch with a very large number of MAC addresses to convert it into a nice broadcast device. > i think even if a box is in stealth mode, we can still detect it if we > use our detection mechanism at switch level itself. > Possible. However, in most cases, it is easier to implement proper physical security and not let random people connect from nodes all over the place. Using 802.1x is useful as well. Devdas Bhagat <snipped> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited.
Powered by blists - more mailing lists