Educause Security Discussion mailing list archives
Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide?
From: Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>
Date: Mon, 30 Apr 2007 10:52:24 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can't speak to Buz' suggestion and other layer 3 issues. It's not clear to me that a connected host can function effectively without an ARP entry for it in the router, unless it's a really clever malcontent who's compromised another host on the same subnet and can work through that compromised host. Polling the ARP tables satisfies the "80" component of 80-20, at least - probably more like 99.n% of devices of any sort on your networks can be detected this way. Your polling logic will probably need a little bit of intelligence to detect, for example, someone running a tarpit, lest you be tricked into scanning your entire /8 anyway. I set up an ARP history recording package at a previous place of employ that got excellent data by polling every three hours. At my current place of employ, they poll the routers every 10 minutes for the same purpose. Cisco gear, to the best of my recollection, caches ARP table entries for four hours in its out-of-the-box configuration, and it's rare in my experience to need to change that facet of its operation. I have had the experience with other vendors' gear that it caches ARP entries for non-local IP's - i.e. downstream i/f,downstream IP,downstream MAC :{remainder of inside IP's and MAC's} : : upstream i/f,www.google.com,inside MAC from border router upstream i/f,www.yahoo.com,inside MAC from border router upstream i/f,www.facebook.com,inside MAC from border router upstream i/f,www.imdb.com,inside MAC from border router upstream i/f,www.cisco.com,inside MAC from border router upstream i/f,www.comics.com,inside MAC from border router upstream i/f,www.playboy.com,inside MAC from border router {etc.} -g - -- Glenn Forbes Fleming Larratt Cornell University IT Security Office On Mon, 30 Apr 2007, Clifford Collins wrote:
Doesn't this assume that our routers are configured correctly and that there are no bugs in the vendor's routing code that would allow exploitation? I don't want to appear overly paranoid but, as the "security guy" I'm expected to deal with an imperfect world. I would rather find a way to actively route all traffic from the unassigned subnets to something I can use to detect the presence of rogue devices. Then, with something like Nmap's address spoofing feature, verify that it's all working as designed. I generate a lot less traffic and avoid having to periodically walk 16 million "empty" addresses. Or am I kidding myself? And in response to a suggestion by Justin Azoff, are all of you out there satisfied with the veracity of ARP table dumps to look for rogues? How frequently is enough to catch a rogue without getting your network engineer torqued off about your constant queries? Clifford A. Collins Network Security Administrator Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"Buz Dale <buz.dale () USG EDU> 4/30/2007 10:04 AM >>>Maybe instead of using the whole 10.0.0.0 you only route the smaller class "c"s that are assigned. Then you could drop anything to or from the address ranges that aren't assigned. Luck, Buz On 4/30/07, Glenn Forbes Fleming Larratt <gl89 () cornell edu> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Might you optimize your process by polling your router infrastructure for live ARP entries, and only scanning those? - -- Glenn Forbes Fleming Larratt Cornell University IT Security Office
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFGNgK4Lyw7nZwiKgQRAgVCAKC4ffk65NbUWXPWsQtc0qa2v2gYKgCgwQp4 OlucuCPvhwXcPpvrBDo32AM= =waLN -----END PGP SIGNATURE-----
Current thread:
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Buz Dale (Apr 30)
- <Possible follow-ups>
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Glenn Forbes Fleming Larratt (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Valdis Kletnieks (May 01)