Security Information Vulnerability Research Security Blog

Q: Network Monitoring

February 27th, 2008 by , Filed under: Ask the Expert

Dear Expert,

I am a Network Engineer at the University of Anonymous. I’m not sure if this is an irrelevant question, but here it is any way..

I want to have a Network Monitoring Software with the following characteristics

1 – I want to be able to monitor all the active workstations in each of the Labs.
2 – I want to have a list of trusted MAC addresses. I need this because I want to block any non-trusted device from accessing network resources. Exceptions might be given when the device is verified to be secure..
3 – I want to be able to detect any suspicious activities (pining, high traffic) and Block the associated IP address.

So please, tell me if there is any software of combination of software that enable me to do what I want..

I hope I will hear from you soon

Yours

M.M.

Our readers have been very helpful to person who wrote the previous post, I believe our readers have the answer in this case as well, and as in the previous case, further, the combined answer was way better than anything we could have provided.

So I am going to let our readers answer this interesting question. Readers – what do you say?

Share
  • Kasa

    Try Nmap to create a map of your network (inventory) and then implement some authentication in the network layer, like 802.11X with your switches and a radius server. To avoid problems you should try to use PKI with them.
    Another way could be implementing ARPWatch to monitor new MAC Addresses in your network.

  • aabbcc

    it’s called NAC

  • Amos

    Kasa already mentioned arpwatch but that was the first tool I was going to consider as part of the solution.
    At a large network provider I worked for, we had the switch “lock in” the first MAC address it saw on the port and won’t allow any other MAC address to use that port until it was reset. It’s more about the stage of “prevention” rather than just “detection” but might be useful too.

  • Kasa

    NAC is not the same thing as 802.1X.
    While 802.1X is only about authentication and authorization in the NAC/NAP/NAQ products you have to consider a script that should validade the computer and then decide what to do with it. It could for example send the computer to an isolated VLAN (or DMZ) with remediate servers to update the OS, AV and thrid-party softwares or if all of them are just fine send the computer to the back-end network.
    There are a bunch of products available for that, but my advice is FreeNAC (http://freenac.net/) because it’s simple and GPL.
    Like Amos said in the last comment, you could also try to enable port Security in you Switches.

  • JRHelgeson

    If you have a Cisco network end-to-end then you can accomplish everything you’re looking for. Cisco IOS supports everything you are requesting, through secure access to the wire using 802.1x and RADIUS, combined with their ASA and port level controls you can build a pretty amazingly robust network.

    You can isolate suspected traffic, unknown MAC addresses can be placed in their own guest VLAN until they have authenticated with the RADIUS server, thereby granting access to the proper VLAN. You can get extremely granular in how you let people access the network, including denying access if they do not have AV installed or are infected with some nasty malware, etc.

  • dave

    seriously consider against using mac address as the only authenticator. layer your defenses. what you are suggesting is not robust. an attacker that can plug into the network can see legitimate mac addresses. maintenance can also be problematic when you are dealing with 10/20/50/… systems.

    it sounds like you want to grant “trusted systems” access to other systems without interactive authentication. — have you considered IPSEC? its quite elegant, can be paired with certificates for strong authentication doesn’t require interactive authentication, and should be damn hard to spoof. then, for interactive services like SSH, VNC, etc.. you tie the service/daemon to interactive authentication (like passwords, etc..).

    you’ve then built a ring of trust – IPSEC enabled systems get access to servers and possibly can communicate with each other (the topology can be a full mesh or hub and spoke the decision is yours). systems w/o IPSEC get no access to trusted servers or limited access -as an example access to only hardened systems.

    for monitoring you could use snort, or nessus, or nmap, or bigbrother – or any combination. this area has lots of solutions. it depends on if you want host integrity monitoring, network availability monitoring, network misuse monitoring, etc..

  • Brian

    We implemented a MAC based VLAN solution using Nortel gear a number of years ago. At the time we started we being swamped with requests from professors to allow their computers to be networked in classrooms (pre wireless). The Nortel gear allowed us to store the MAC addresses associated with a given machine and put them on the network to which they were entitled when they came on the network. WE knew at the outset that MAC addresses could be hijacked but we dealt with those severely when we found them. New machines were dropped into a default VLAN and required to register with their university pin and ID. The same scheme allowed us to register visitors to campus.

    As the number of computers exceeded the capacity of the equipment to store MAC addresses per VLAN (>10,000) we have migrated to a much more segmented network where if desktops move they need to reregister. Laptops can still move anywhere.

    The original plan was to move to have users authenticate to the network every time they put their machine on the network. There are issues around logging off for lab machines. Its a work in progress.

  • http://benjamin-schweizer.de/ Benjamin Schweizer

    Aside of port security (802.1x), you want a good monitoring solution. First of all, install mrtg and monitor the load of your switchports. Second, get a list of used mac addresses using arpwatch and ping’ing all hosts (using nmap e.g.).
    Then, you could do a lot more: Nagios as a network monitoring system, Cacti as a replacement to mrtg (brings you alarms etc.), a honeypot to fool people scanning your network. What about centralized logging, automated log file analysis and, most important, someone responsible that is capable of taking action. May be you need a security policy that clarifies what to do when something goes wrong. Ah, and inform your students what they may do and what they should avoid…

  • Share







  • Categories


Security RSS Subscribe