[LARTC] Personal Firewalls

[LARTC] Personal Firewalls

[Alfred Vahau]

Hello,
Our ISP provides a firewall and NAT services for our Intranet.
However, within the Intranet, there appear to be personal firewalls
around some anonymous PCs. The IP addresses of these PCs can
be detected by our network monitoring tool.

The identity of the user however remains anonymous.

Are there any tools that can be used to penetrate the personal firewall
and reveal the identity of the users? All our IP addresses fall within
specific ranges and the existence of these addresses are against the
policies on computer usage.

Thanks for any pointers,

Alfred Vahau
IT Services
Uni. PNG





-- 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Peter Surda]

Alfred Vahau wrote:

> All our IP addresses fall within
> specific ranges and the existence of these addresses are against the
> policies on computer usage.

In that case it's easy. Block their network access on the router and 
wait until they contact you :-)

> Alfred Vahau
> IT Services
> Uni. PNG

Yours sincerely
Peter Surda

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Alfred Vahau]

Thanks for the reply. This is the practice at present. We block off one 
IP and another pops up.
At times, quite a few of them appear. We suspect that some of these guys 
are disgruntled ex-employees
who have unauthorized access or are accessing the network with the help 
of other staff.

alfred,


Peter Surda wrote:

> Alfred Vahau wrote:
>
>> All our IP addresses fall within
>> specific ranges and the existence of these addresses are against the
>> policies on computer usage.
>
>
> In that case it's easy. Block their network access on the router and 
> wait until they contact you :-)
>
>> Alfred Vahau
>> IT Services
>> Uni. PNG
>
>
> Yours sincerely
> Peter Surda
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


-- 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[David Hough]

On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote:
> Thanks for the reply. This is the practice at present. We block off one 
> IP and another pops up.
> At times, quite a few of them appear. We suspect that some of these guys 
> are disgruntled ex-employees
> who have unauthorized access or are accessing the network with the help 
> of other staff.

It sounds as though you need a script tied in with your DHCP server so
that only recognised MAC addresses get given IP addresses and only those
addresses currently allocated get access via the firewall.
-- 
Dave
So many gadgets, so little time
http://www.llondel.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Peter Surda]

Alfred Vahau wrote:

> Thanks for the reply. This is the practice at present. We block off 
> one IP and another pops up.
> At times, quite a few of them appear. We suspect that some of these 
> guys are disgruntled ex-employees
> who have unauthorized access or are accessing the network with the 
> help of other staff.

Aha, so you suspect malicious intent and not only accidental behaviour. 
In that case you shouldn't expect that some other internal information 
found on the problematic computers is valid either.

However, there is a possibility if you want to find the computer by IP, 
if you use manageable switches. As you know which IPs are improper, you 
can also find the corresponding MAC address passively from the router's 
ARP table (or actively by arping), and the switches will be able to tell 
you on which port this MAC is plugged. Then you can e.g. shutdown the 
port or follow the cable to the physical computer location.

> alfred,

Yours sincerely
Peter Surda
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Alfred Vahau]

We don't use a DHCP server but maybe it's an option that needs to be 
looked into.

Alfred,


Alfred,


David Hough wrote:

>On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote:
>  
>
>>Thanks for the reply. This is the practice at present. We block off one 
>>IP and another pops up.
>>At times, quite a few of them appear. We suspect that some of these guys 
>>are disgruntled ex-employees
>>who have unauthorized access or are accessing the network with the help 
>>of other staff.
>>    
>>
>
>It sounds as though you need a script tied in with your DHCP server so
>that only recognised MAC addresses get given IP addresses and only those
>addresses currently allocated get access via the firewall.
>  
>

-- 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Alfred Vahau]

Peter Surda wrote:

> Alfred Vahau wrote:
>
>> Thanks for the reply. This is the practice at present. We block off 
>> one IP and another pops up.
>> At times, quite a few of them appear. We suspect that some of these 
>> guys are disgruntled ex-employees
>> who have unauthorized access or are accessing the network with the 
>> help of other staff.
>
>
> Aha, so you suspect malicious intent and not only accidental 
> behaviour. In that case you shouldn't expect that some other internal 
> information found on the problematic computers is valid either.

We have not dismissed malicious intent. However, the chances of it 
happening is quite remote. Rather the fight is against network abuse.
In line with the core objectives of our institution, there are sites 
which are defined as unproductive. It is the access to these sites for which
strange ip addresses spring up, some of which are within our IP range, 
for which the logs do not provide very much information on the
identify of the user.

>
> However, there is a possibility if you want to find the computer by 
> IP, if you use manageable switches. As you know which IPs are 
> improper, you can also find the corresponding MAC address passively 
> from the router's ARP table (or actively by arping), and the switches 
> will be able to tell you on which port this MAC is plugged. Then you 
> can e.g. shutdown the port or follow the cable to the physical 
> computer location.
>
Thanks for this pointer. This option looks viable and will pursue this.

>> alfred,
>
>
> Yours sincerely
> Peter Surda

alfred,

> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


-- 
Perl is my reason for following the Sun;


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Alfred Vahau]

Thank you for these pointers. These options will be explored.

alfred,


khurram sohaib wrote:

> You can use Iptraf to monitor traffic, for further restrictions you 
> can use dhcp with mac address and add those address in your forward, 
> filter options in Iptables. this will solve your problem.
>
> if you need the further help for this, please let me know.
>
> khurram
>
>
>
>  
>
>
>
>
> Message FROM KHURRAM SOHAIB. >From: Alfred Vahau 
> <Alf.Vahau@upng.ac.pg> >To: lartc@mailman.ds9a.nl >Subject: [LARTC] 
> Personal Firewalls >Date: Mon, 10 Jan 2005 13:22:44 +1000 > >Hello, 
> >Our ISP provides a firewall and NAT services for our Intranet. 
> >However, within the Intranet, there appear to be personal firewalls 
> >around some anonymous PCs. The IP addresses of these PCs can >be 
> detected by our network monitoring tool. > >The identity of the user 
> however remains anonymous. > >Are there any tools that can be used to 
> penetrate the personal >firewall >and reveal the identity of the 
> users? All our IP addresses fall >within >specific ranges and the 
> existence of these addresses are against the >policies on computer 
> usage. > >Thanks for any pointers, > >Alfred Vahau >IT Services >Uni. 
> PNG > > > > > >-- > > >_______________________________________________ 
> >LARTC mailing list / LARTC@mailman.ds9a.nl 
> >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: >http://lartc.org/


-- 
Perl is my reason for following the Sun;


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Personal Firewalls

[Alfred Vahau]

 >However, there is a possibility if you want to find the computer by 
IP, if you use manageable switches. As you know which >IPs are improper, 
you can also find the corresponding MAC address passively from the 
router's ARP table (or actively by >arping), and the switches will be 
able to tell you on which port this MAC is plugged. Then you can e.g. 
shutdown the port or >follow the cable to the physical computer location.

Just reporting back on how this went. The above worked beautifully and 
the suspect PC has been identified.
Two puzzling aspect which I hope the list will throw some light on is:

1. The ipconfig /all command on Windows returns the description of the 
NIC with company A but the MAC address contains the code for company B 
according to OUI scheme.

http://standards.ieee.org/regauth/oui/oui.txt

Is this an industry practice?

Both IP and MAC addresses match that of the investigated computer.

2. Our proxy access logs show that sites C and D were heavily accessed. 
The browser history shows site shows D being accessed but not a trace of 
access to C. I am suspecting an ftp server being used.

Thanks in advance for the help.

alfred,

-- 
Perl - 
"... making the easy jobs easy,
without making the hard jobs impossible."
'The Camel', 3ed

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/