On Fri, 5 Mar 2004, mbox mbarsalou wrote:
>
> Anyone out there currently using a tool that would identify rogue
> devices in your network?
>
> In my case, one trait of a "rogue" is a piece of equipment using a non
> authorized snmp community string.
> Another might be the assignment of unauthorized IP address space.
Before I left the UAA Library, I identified a rogue DHCP server on the
campus network for UAA ITS by configuring dhclient to reject DHCP
offerings from the ITS server to see if there were any others that would
offer me an IP address. I greatly enjoyed it because ITS didn't have a
clue the rogue server was there, and had no idea it was even possible to
do what I did, simple as it was.
Not sure how much that helps you though.
I would think if you were looking for a definitive method of discovering
if an unauthorized piece of equipment comes up on your network, that
something using ARP would be your best bet.
Of course, the easiest thing would be to ensure that any unused wall jacks
aren't patched, and any wireless access points configured to only talk to
known MAC addresses. That's not totally foolproof though, since most
(all?) OSs allow the user to arbitrarily change the MAC address, and
someone can always unplug a legitimate piece of equipment and plug in a
rogue device.
Mike
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Mar 5 09:33:27 2004
This archive was generated by hypermail 2.1.8 : Fri Mar 05 2004 - 09:33:27 PST