# Securing a network - intrusion detection

## Vieri

Hi, 

I would like to know how to "secure" a LAN with "standard" switches. Since our LAN is quite large, the idea is to detect intrusers (devices such as laptops and access points that are plugged into an ethernet wall plug).

Our "registered" devices are catalogued in our database and for each one of them we have a list of information (such as MAC address, etc). Most but not all have DHCP clients.

What I would like to do is quickly detect an "unwanted" device that someone may plug into our LAN.

Some vendors such as Cisco offer expensive switches that do just this and more (the device will not be able to access the LAN until it's validated).

I would like to find a poor man's solution to this with standard switches.

Anybody have any working scripts/solutions?

I am currently using nmap on our subnet such as:

nmap -sS -O 10.215.144.0/22 > current_devices.log

I could import the log data to a MySQL database for easier data manipulation and compare with our registered MACs.

Although this isn't a "real-time" detection solution, it's better than nothing.

Ideas anyone?

----------

## depontius

If you're feeling really paranoid, you could go with a "virtual network". Run OpenVPN on a server and on all clients. On the physical network, have just enough information and services to get to the OpenVPN server. Authorized clients run the OpenVPN client at startup, connect, authorize, and all is good. Unauthorized clients hook onto the network, get an address from DHCP, but then find that they can't do squat except find the OpenVPN server.

There's a bit of overhead in the OpenVPN links, especially for the server, but it should be secure. I've been considering this approach for my wireless segment instead of the WPA that I'm currently using.

Beyond that, I'd suggest monitoring ARP packets. There are 2 kinds of unauthorized machines on your lan, innocent (or stupid crackers) ones that grab a DHCP address, and crackers who either appropriate a known IP (presumably one they know is currently down) or silently sniff. Obviously with unknown DHCP clients, you can stuff them off into and isolated portion of IP addresses that is appropriately disabled, firewalled, and warned. For the others, nmap might work, as you have suggested, but monitoring ARP packets might be simpler and less burdensome. You'll need to monitor ARP at each segment, however.

Beyond all of that, keep in mind that MACs can be overridden. So it would be entirely possible to silently sniff a segment and find the MAC and IP of a machine, then either unplug that machine or wait until it's naturally offline. (Like a laptop gone home or a deskside shut down at the end of the day.) Then override the MAC of the spy machine, and possibly the IP, assuming that MAC isn't normally a DHCP client, like a laptop. At that point, the spy machine is in, though not past any other password or key-based authorization.

If you're really that worried about malicious intrusion, you need either the switches or a virtual lan with a VPN.

----------

## Vieri

 *depontius wrote:*   

> 
> 
> If you're really that worried about malicious intrusion, you need either the switches or a virtual lan with a VPN.

 

I am a bit worried because the other day I found someone had connected a completely "open" (no encryption) access point to our lan. And even though they might not have done this with malicious intentions, they actually opened a security hole (at least as far as that wifi could reach).

The openvpn gateway is a pretty nice idea (I used it for wifi but I never thought of using it over a wired lan) and probably the most secure "poor man's solution". A hacker would still be able to "attack" hosts within the LAN (unless properly firewalled) but at least they wouldn't access neither our servers nor the Internet.

Exra overhead may be an issue but will have to live with it.

Thank you for shedding some light.

----------

## GNUtoo

you could add an autentification to your lan

do you have only linux clients?

because you have 2 choices here:

nufw...you'll have some problem with the windows clients because one of both client for windows is commercial(the other is freeware) 

and you also have radius autentification

----------

## Vieri

 *GNUtoo wrote:*   

> you could add an autentification to your lan
> 
> do you have only linux clients?
> 
> because you have 2 choices here:
> ...

 

Unfortunately, 99% of our clients are Windoze.

nufw sounds very interesting especially for user-based firewall rules (but that's a plus I wasn't really counting on).

I think both versions for Windows have a 30 day limit.

I used radius for wifi but not for lans.

So I guess I could go for openvpn or radius (unless they let me buy the nufw windows client). However, all three have the same inconvenience: not all clients can have the necessary software to connect (eg. TCP/IP printers, some PDAs...).

I would have to define "exceptions" based on MAC addresses I guess.

Finally, since I use shorewall to generate iptables rules I need to make sure that nufw can get along well.

----------

## richard.scott

Why not configure your DHCP server to give out dedicated IP's to known mac addresses.

you'd need to add something like this to your dhcpd.conf file:

```
host LAP071 {

  # Linksys

  hardware ethernet 00:14:bf:d8:82:3f;

  fixed-address 192.168.98.2;

  option routers 192.168.98.1;

}

```

If something new is plugged into the network, then it won't be given an IP....but the user could hard code one onto the device and that would still then work and not be detected.

To detect that sort of thing, you'd need to use an Network Intrusion Detection System (NIDS) like Snort to monitor your network traffic. You would need a snort sensor server connected to each switch and configure that switch to mirror all traffic to the port your snort server is connected to (otherwise it won't see any traffic from the switch).

There's an ebuild for it in portage!   :Very Happy: 

----------

## bunder

snort is an IDS package, but IIRC its meant for gateways and routers.

cheers

----------

## richard.scott

 *bunder wrote:*   

> snort is an IDS package, but IIRC its meant for gateways and routers.

 

Snort can act both as a Host IDS and a Network IDS   :Smile: 

----------

## depontius

 *richard.scott wrote:*   

> Why not configure your DHCP server to give out dedicated IP's to known mac addresses.
> 
> 

 

Depends on your degree of paranoia. MACs can be spoofed. Extraordinary paranoia is not always called for. On my home LAN I hand out MAC-based fixed IPs from my dhcp server. Some businesses might want to be more cautious.

----------

## ryandw

I just did something similar using arpwatch, swatch, and nmap.  Swatch is configured to watch /var/log/messages for arpwatch's "new station" messages.  When it sees one it launches a custom script, passing the IP as a parameter, which port scans the IP, emails me a copy of the results, and also sends me the results in the form of a network pop-up message.  I was running arpwatch on its own previously with mail notification turned on, but quite often by the time I checked my mail and saw the new station message the new device was already disconnected.

----------

