RE: how to bypass rouge machine detection techniques

["Paul Melson" <pmelson () gmail com>]

MAC addresses are easily sniffed, spoofed, and exploited in lots of nifty
ways (see: ARP poisoning/routing).  The ubiquitous nature of ARP/RARP
broadcasts and the seemingly unique nature of MAC addresses makes them an
obvious means of attempting this type of detection, but these attempts are
trivially defeated - it can be done with pretty much any laptop and a Linux
boot CD.

I'm not saying it's not worth doing - presumptuous contractors, bad
employees, the generally clueless and their laptops all pose a risk to your
network.  These people will likely be detected via this method and can be
dealt with, hopefully before they spread worms and other crap.

One correct solution to this problem is to authenticate users and devices
before they connect to the network.  Whereas this method attempts to
identify devices or users after they have connected.  

PaulM


-----Original Message-----
Subject: [Full-disclosure] how to bypass rouge machine detection techniques

Friends,

There are several techniques available for detecting rouge (not being a
member of trusted domain) machines, such as active scanning, active
directory querying etc, but I guess most powerful being the one used by
epolicy orchestrator. Its agents (deployed on each subnet) checks for L2
broadcasts like Arp broadcast etc. After detecting a broadcast, it used the
mac address and ip address to proceed further to detect whether the machine
is rouge or not.

http://www.networkassociates.com/us/local_content/white_papers/wp_epo3_5_rsd
whitepaper_july2004.pdf

I was wondering if this approach is foolproof and can be safely deployed or
if there is a way to bypass it?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/