Please I have a very interesting scenario that I am on the lookout for a
solution for, We have instances where the network team of my company bypass
controls and processes when adding new switches to the network.
The right parameters that are required to be configured on the switches
inorder for the NAC solution deployed to have full visibility into end
points that connects to such switches are not usually configured.
This poses a problem for the security team as they dont have visibility
into such devices that connect to such switches on the NAC solution, the
network guys usually connect the new switches to the trunk port and they
have access to all VLANs.
Is there a solution that can detect new or unmanaged switches on the
network, and block such devices or if there is a solution that block users
that connect to unmanaged switches on the network even if those users have
domain PCs.
Please I have a very interesting scenario that I am on the lookout for a
solution for, We have instances where the network team of my company bypass
controls and processes when adding new switches to the network.
The NETWORK management team of your own company?
The answer is adequate change controls, policy, procedures,
technical auditing (Such as logging of all CLI commands), and
mandatory training with clearly-communicated in advance severe
consequences for violators of the compulsory security policy that
all switches must be of X type and configured according to Y process
before being connected to the network, signed off by management.
There are technical controls that can be implemented to help prevent/
mitigate end users from attaching an unauthorized switch to a normal
access port,
But as you mention... clearly an employee on the NETWORKING team
can likely just configure a port as Trunk and circumvent any technical
protections.
Two methods that could effectively prevent End Users (not Network/IT team) from
connecting unmanaged switches would be:
* Port-security feature common on many managed switches that allow you to
limit the number of MAC Addresses that can use a port to 1 or given
number of MAC addresses.
(Use a short MAC address aging time such as 30 seconds to allow
people to unplug
and plug a different device in, but a low MAC address account and
Err-Disable violation
to kill the port if a Switch is connected)
* 802.1x Wired Port Security - More detailed system that requires a
PKI + RADIUS server infrastructure and authentication by every
client to every port.
If you have employees with enable on your networking gear not following
policies and procedures, that is a management problem, not a technical
one. There's nothing you can do to prevent someone who admin's a network
device from changing its configuration.
The various ways the company can handle this is by training, clearly
defined *and communicated* policies, and eventually by discipline if
necessary. If the company is unwilling or unable to enforce reasonable
policy on its employees then my recommendation would be to find a new
company.
As someone already stated the obvious answers, the slightly more difficult route to be getting a count of allowed devices and MAC addresses, then moving forward with something like ansible to poll the count of MAC’s on any given port ... of number higher than what’s allowed, suspend the port and send a notification to the appropriate parties.
All in all though sounds like a really brash thing to do to your network team and will generally know and have a very good reason for doing so... but not all situations are created equally so good luck.
In my previous life, we used a nac appliance from Bradford Networks whereby the mac address of every device needed to be registered or the switch port it was plugged into would be disabled.
This kept spurious devices from appearing on the network and worked quite well.
Cheers, Keith
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
This thread has piqued my curiosity on whether there'd be a way to detect a rogue access point, or proxy server with an inside and outside interface? Let's just say 802.1x is in place too to make it more interesting. For example, could employee X, who doesn't want their department to be back billed for more switch ports, go and get some reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth to the physical network using their credentials? They then let their staff wifi into it and the traffic is NAT'd. I'm sure anyone in a university setting has encountered this. Obviously policy can forbid, but any way to detect it other than seeing traffic patterns on a port not match historical once the other users have been combined onto it, or those other users' ports go down?
David
When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, which has a Layer-2 collection feature that identifies the number and MACs of devices on any given switch port. We export this list and cull out all the known managed switch links. Anything remaining that has more than one MAC per port is a potential violation that we can readily inspect. It’s not perfect, because an unmanaged switch might only have one device connected, in which case it wont be detected. You can also get false positives from hosts running virtualization, if the v-kernel generates synthetic MAC addresses. But it’s amazing how many times we find unmanaged switches squirreled away under desks or in ceilings.
This is one of the reasons why large organizations, such as the ones you
describe, have both portable spectrum analyzers (covering the 2400 range
and 5150-5850 MHz 802.11(whatever) bands), and also ability to hunt for MAC
addresses of wifi devices that don't match known centrally managed APs.
Even if somebody sets up to not broadcast the SSID, the MAC will still be
there and can be recognized as an unknown device, then physically
triangulated upon for its OSI layer 1 location, with RSSI/RSL level and a
portable spectrum analyzer with directional yagi antenna.
1. Most likely it will leak information (STUN, NAT-PMP, etc.).
2. You could look obvious signs of NATted traffic. (e.g. re-use of the same
source port number to different destinations from the box, etc.)
3. You can look at the TTL or Hop-Count on packets coming out of the box.
Most NAT routers (I believe DD-WRT included, IIRC) do still decrement
the TTL/Hop-Count (v4/v6) when passing the packet.
4. NMAP the device… DD-WRT will usually look strikingly different from most
desktop hosts.
I’m sure there are other ways, but those are the first 4 that spring to mind. Each
could be defeated by a particularly careful/clever implementer, but in an enterprise,
usually it makes little sense to go to that much trouble to violate policy. Universities
are an exception as that’s a whole different set of equations on risk/benefit.
Enterprise WiFi systems, such as those by HPE (Aruba) and Cisco, have built-in rogue detection including integrated spectrum analysis. Every AP becomes a spectrum analyzer, so the WiFi controller can detect rogue APs, identify whether or not they’re physically connected to your network, and then even tell you the switch and port they’re plugged into. You can disable that port to kill the rogue’s network access, then follow that cable to the interloper.
as already said - this can be covered with adequate processes and
management (even so far as, not doing your job right? time
for HR...). however, there are many ways to ensure that random ports arent
doing anything other than what they should be doing - most of these
are L2 security features - port-security, BPDUGAURD, default vlan pruning,
along with other protections such as DHCP snooping etc.
however, if its the network team doing this - then they could just turn
those things off anyway - so you need to also ensure all
managed switch configs have their configs audited and checked - grabbed by
SNMP and checked/audited against known template etc etc.
if a switch cannot be audited then disconnect its uplink..... but then your
end users/customers no longer have connections - which is why its
really down to management processes. WHY are they doing this? there could
be other reasons why due process isnt being followed
other than eg incompetence, malice, laziness etc
I like the idea of using a quarantine network by default with a captive portal assistant to permit certain levels of access if needed.. fairly easy to setup on LAN and WiFi networks with no problem. Just depends on what you are trying to secure- easy to set up audits with MAC tables and SNMP data either way.
