8

I would like to know ways of detecting rogue laptops connected to Ethernet sockets not properly secured in a big organization that has a plain network segment. I know that this can be prevented using some techniques like MAC filtering, but suppose that in this company they don't use any of these preventive security measures.

One possible solution I can think of is to use traceroute to identify the path and identify the last hop to the laptop. This can be used to identify the last router but...

Is it possible to use some layer-2 protocol or other techniques to identify where is a rogue laptop connected to an unprotected Ethernet socket in a big organization?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
kinunt
  • 2,759
  • 2
  • 23
  • 30

2 Answers2

9

Any managed switch should be able to tell you which ports it has seen a given MAC address on. Identify the IP, ARP on that network, query switches on that segment for the given MAC address.

Prevention beats all, though: How can I restrict access to network data by an unauthorized computer that connects via Ethernet?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Keep in mind that this technical solution will only work if you know what is supposed to be on your network in the first place. For that you need a complete inventory of all approved devices and their MAC addresses. Then you look at the MAC address tables on the switches to find those not approved. – GdD Mar 06 '13 at 09:06
  • This too is unpractical when organziation size goes to 26000 strong or more. You need a protocol or point solution approachi – Saladin Mar 06 '13 at 15:30
1

The technical answer or solution is what you call Network Admission Control. Its does all the police work for you.

On the suspicious switch you can run command not exact but something similar to show mac table. Basically all the port and mac binding is store at CAM table aka content addressable memory e.g

    Cat6K#show mac-address-table int gi 6/11

If you are thinking of actively blocking using in house switches then go for DAI aka dynamic arp inspection basically it is a white list for all arp requests and denies authorized mac to ip binding.

As for knowledge you should know at osi layer 3 and layer 2 there isn't any inherent control to stop spoofing from happening. It what you call unsolicated arp.Thus you have to rely on point solution for this.

Saladin
  • 1,547
  • 3
  • 14
  • 23