How about some scripts around fail2ban, if the same account logs in multiple times, its banning time.
Kasper On Friday, June 8, 2018, David Hubbard <dhubb...@dino.hostasaurus.com> wrote: > This thread has piqued my curiosity on whether there'd be a way to detect > a rogue access point, or proxy server with an inside and outside > interface? Let's just say 802.1x is in place too to make it more > interesting. For example, could employee X, who doesn't want their > department to be back billed for more switch ports, go and get some > reasonable wifi router, throw DD-WRT on it, and set up 802.1x client auth > to the physical network using their credentials? They then let their staff > wifi into it and the traffic is NAT'd. I'm sure anyone in a university > setting has encountered this. Obviously policy can forbid, but any way to > detect it other than seeing traffic patterns on a port not match historical > once the other users have been combined onto it, or those other users' > ports go down? > > David > > > On 6/7/18, 10:18 AM, "NANOG on behalf of Mel Beckman" < > nanog-boun...@nanog.org on behalf of m...@beckman.org> wrote: > > When we do NIST-CSF audits, we run an SNMP NMS called Intermapper, > which has a Layer-2 collection feature that identifies the number and MACs > of devices on any given switch port. We export this list and cull out all > the known managed switch links. Anything remaining that has more than one > MAC per port is a potential violation that we can readily inspect. It’s not > perfect, because an unmanaged switch might only have one device connected, > in which case it wont be detected. You can also get false positives from > hosts running virtualization, if the v-kernel generates synthetic MAC > addresses. But it’s amazing how many times we find unmanaged switches > squirreled away under desks or in ceilings. > > -mel > > > On Jun 7, 2018, at 4:54 AM, Jason Hellenthal <jhellent...@dataix.net> > wrote: > > > > As someone already stated the obvious answers, the slightly more > difficult route to be getting a count of allowed devices and MAC addresses, > then moving forward with something like ansible to poll the count of MAC’s > on any given port ... of number higher than what’s allowed, suspend the > port and send a notification to the appropriate parties. > > > > > > All in all though sounds like a really brash thing to do to your > network team and will generally know and have a very good reason for doing > so... but not all situations are created equally so good luck. > > > > > > -- > > > > The fact that there's a highway to Hell but only a stairway to > Heaven says a lot about anticipated traffic volume. > > > >> On Jun 7, 2018, at 03:57, segs <michaelolusegunru...@gmail.com> > wrote: > >> > >> Hello All, > >> > >> Please I have a very interesting scenario that I am on the lookout > for a > >> solution for, We have instances where the network team of my > company bypass > >> controls and processes when adding new switches to the network. > >> > >> The right parameters that are required to be configured on the > switches > >> inorder for the NAC solution deployed to have full visibility into > end > >> points that connects to such switches are not usually configured. > >> > >> This poses a problem for the security team as they dont have > visibility > >> into such devices that connect to such switches on the NAC > solution, the > >> network guys usually connect the new switches to the trunk port and > they > >> have access to all VLANs. > >> > >> Is there a solution that can detect new or unmanaged switches on the > >> network, and block such devices or if there is a solution that > block users > >> that connect to unmanaged switches on the network even if those > users have > >> domain PCs. > >> > >> Anticipating your speedy response. > >> > >> Thank You! > > >
