Who is connected to network

Who is connected to network

[it clown]

Is there a way to see who is connected to your network.

Say if you have a wireless network and you need to know if
someone got it right to get onto your network.

How do you monitor that and how do you prevent it?

Even on a normal network how could you monitor who is
connected to your network?

Regards
_____________________________________________________________________
For super low premiums, click here http://www.dialdirect.co.za/quote

Re: Who is connected to network

[Michael Balasko]

Currently we have coded something in house that scrubs all the 
connectivity devices for the mac addresses and will email us when an 
unauthorized device shows up on the network (All Cisco gear). There is 
work in progress to expand this to automatically clip the port and fire 
off a series of emails and other actions.  Additionally, all of the 
ports on the switches are configured to allow only one device into a 
port, so it would be very difficult to drop a hub in place and start 
sniffing. There are also a few other tricks in place to prevent man in 
the middle attacks and a few other exploits.

As far as the wireless stuff goes, it would be amazingly difficult but 
not impossible to get it right. Our AP's will not allow authentication 
without the client mac being pounded into our ACS servers.(MAC spoofing 
isn't all that hard, but) Also the AP's don't broadcast the 
SSID's(fairly easy to get around). In the case that someone gets the 
first two right, they need to then figure out the name of the VPN 
servers. We do not allow any type of access from the AP's without a VPN 
session established. Then they need to get the VPN settings right and 
also need to have a user account comprised that had VPN access. Not 
impossible, but quite difficult for someone to do without making any 
"noise" that we would be alerted on.  At that point the access lists on 
the AP's keep you from really touching any of the gear that would hurt us.

All that being said there are million of exploits out there and lots of 
tools, but we feel that we have a fairly good system in place to deter 
all but the very skilled and very determined person out there.

Hope that provides a bit of info you were looking for. Feel free to ask 
any ?'s if you have any.

Mike Balasko
Network Specialist II
City of Henderson

it clown wrote:

>Is there a way to see who is connected to your network.
>
>Say if you have a wireless network and you need to know if
>someone got it right to get onto your network.
>
>How do you monitor that and how do you prevent it?
>
>Even on a normal network how could you monitor who is
>connected to your network?
>
>Regards
>_____________________________________________________________________
>For super low premiums, click here http://www.dialdirect.co.za/quote
>
>  
>

Re: Who is connected to network

[alexb]

Hi Michael!

I'm interest to know how to make a VPN from the AP to each client.
How do you implement to do:
"We do not allow any type of access from the AP's without a VPN session
established"
Is this down at the gatway between the APs and the Internet ?
Something I can do with iptables ?

Thanks,

Alex

-----Mensagem original-----
De: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] Em nome de Michael Balasko
Enviada em: quarta-feira, 5 de janeiro de 2005 14:39
Para: it clown; netfilter@lists.netfilter.org
Assunto: Re: Who is connected to network

Currently we have coded something in house that scrubs all the
connectivity devices for the mac addresses and will email us when an
unauthorized device shows up on the network (All Cisco gear). There is
work in progress to expand this to automatically clip the port and fire
off a series of emails and other actions.  Additionally, all of the
ports on the switches are configured to allow only one device into a
port, so it would be very difficult to drop a hub in place and start
sniffing. There are also a few other tricks in place to prevent man in
the middle attacks and a few other exploits.

As far as the wireless stuff goes, it would be amazingly difficult but
not impossible to get it right. Our AP's will not allow authentication
without the client mac being pounded into our ACS servers.(MAC spoofing
isn't all that hard, but) Also the AP's don't broadcast the
SSID's(fairly easy to get around). In the case that someone gets the
first two right, they need to then figure out the name of the VPN
servers. We do not allow any type of access from the AP's without a VPN
session established. Then they need to get the VPN settings right and
also need to have a user account comprised that had VPN access. Not
impossible, but quite difficult for someone to do without making any
"noise" that we would be alerted on.  At that point the access lists on
the AP's keep you from really touching any of the gear that would hurt us.

All that being said there are million of exploits out there and lots of
tools, but we feel that we have a fairly good system in place to deter
all but the very skilled and very determined person out there.

Hope that provides a bit of info you were looking for. Feel free to ask
any ?'s if you have any.

Mike Balasko
Network Specialist II
City of Henderson

it clown wrote:

>Is there a way to see who is connected to your network.
>
>Say if you have a wireless network and you need to know if
>someone got it right to get onto your network.
>
>How do you monitor that and how do you prevent it?
>
>Even on a normal network how could you monitor who is
>connected to your network?
>
>Regards
>_____________________________________________________________________
>For super low premiums, click here http://www.dialdirect.co.za/quote
>
>
>


-----------------------------------------------------------------
Esta mensagem foi enviada pelo IMP, o Internet Messaging Program.

Re: Who is connected to network

[Michael Balasko]

In this particular case we have the APs configured in a specific manner. 
The Cisco AP's will allow you apply access lists based upon 
SSID/authentication. Once your connected to the proper SSID the access 
lists will allow only GRE and few other protocols through.(Radius,DNS 
and so on). Once that happens the workstation is responsible for 
lighting the VPN tunnel. The server side of our equation for the VPN 
stuff is Cisco gear, but there is no reason you couldn't use an open 
source box to terminate the VPN tunnel to. How you do it is up to you.

Mike

alexb@atix.com.br wrote:

>Hi Michael!
>
>I'm interest to know how to make a VPN from the AP to each client.
>How do you implement to do:
>"We do not allow any type of access from the AP's without a VPN session
>established"
>Is this down at the gatway between the APs and the Internet ?
>Something I can do with iptables ?
>
>Thanks,
>
>Alex
>
>-----Mensagem original-----
>De: netfilter-bounces@lists.netfilter.org
>[mailto:netfilter-bounces@lists.netfilter.org] Em nome de Michael Balasko
>Enviada em: quarta-feira, 5 de janeiro de 2005 14:39
>Para: it clown; netfilter@lists.netfilter.org
>Assunto: Re: Who is connected to network
>
>Currently we have coded something in house that scrubs all the
>connectivity devices for the mac addresses and will email us when an
>unauthorized device shows up on the network (All Cisco gear). There is
>work in progress to expand this to automatically clip the port and fire
>off a series of emails and other actions.  Additionally, all of the
>ports on the switches are configured to allow only one device into a
>port, so it would be very difficult to drop a hub in place and start
>sniffing. There are also a few other tricks in place to prevent man in
>the middle attacks and a few other exploits.
>
>As far as the wireless stuff goes, it would be amazingly difficult but
>not impossible to get it right. Our AP's will not allow authentication
>without the client mac being pounded into our ACS servers.(MAC spoofing
>isn't all that hard, but) Also the AP's don't broadcast the
>SSID's(fairly easy to get around). In the case that someone gets the
>first two right, they need to then figure out the name of the VPN
>servers. We do not allow any type of access from the AP's without a VPN
>session established. Then they need to get the VPN settings right and
>also need to have a user account comprised that had VPN access. Not
>impossible, but quite difficult for someone to do without making any
>"noise" that we would be alerted on.  At that point the access lists on
>the AP's keep you from really touching any of the gear that would hurt us.
>
>All that being said there are million of exploits out there and lots of
>tools, but we feel that we have a fairly good system in place to deter
>all but the very skilled and very determined person out there.
>
>Hope that provides a bit of info you were looking for. Feel free to ask
>any ?'s if you have any.
>
>Mike Balasko
>Network Specialist II
>City of Henderson
>
>it clown wrote:
>
>  
>
>>Is there a way to see who is connected to your network.
>>
>>Say if you have a wireless network and you need to know if
>>someone got it right to get onto your network.
>>
>>How do you monitor that and how do you prevent it?
>>
>>Even on a normal network how could you monitor who is
>>connected to your network?
>>
>>Regards
>>_____________________________________________________________________
>>For super low premiums, click here http://www.dialdirect.co.za/quote
>>
>>
>>
>>    
>>
>
>
>-----------------------------------------------------------------
>Esta mensagem foi enviada pelo IMP, o Internet Messaging Program.
>
>  
>

Re: Who is connected to network

[Jose Maria Lopez]

El mié, 05 de 01 de 2005 a las 08:10, it clown escribió:
> Is there a way to see who is connected to your network.
> 
> Say if you have a wireless network and you need to know if
> someone got it right to get onto your network.
> 
> How do you monitor that and how do you prevent it?
> 
> Even on a normal network how could you monitor who is
> connected to your network?

You can always use a radius server to authentificate the
users and it will give you who is connected to the network.
The most obvious option for this is Freeradius, it's a little
complicate to make it run but it's very useful further.

Another option is using ntop, that can show you the machines
connected to the network.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Who is connected to network

[Alexander E. Belck]

Can you give some more tips how you setup the VPN ?
What kind of VPN you use. Do you have a IPsec server our PPTP ?
Who establish the VPN at the client side, is it the wireless client or a
host/router behind it ?

Thanks,

Alex

Em Qua 05 Jan 2005 14:38, Michael Balasko escreveu:
> Currently we have coded something in house that scrubs all the
> connectivity devices for the mac addresses and will email us when an
> unauthorized device shows up on the network (All Cisco gear). There is
> work in progress to expand this to automatically clip the port and fire
> off a series of emails and other actions.  Additionally, all of the
> ports on the switches are configured to allow only one device into a
> port, so it would be very difficult to drop a hub in place and start
> sniffing. There are also a few other tricks in place to prevent man in
> the middle attacks and a few other exploits.
>
> As far as the wireless stuff goes, it would be amazingly difficult but
> not impossible to get it right. Our AP's will not allow authentication
> without the client mac being pounded into our ACS servers.(MAC spoofing
> isn't all that hard, but) Also the AP's don't broadcast the
> SSID's(fairly easy to get around). In the case that someone gets the
> first two right, they need to then figure out the name of the VPN
> servers. We do not allow any type of access from the AP's without a VPN
> session established. Then they need to get the VPN settings right and
> also need to have a user account comprised that had VPN access. Not
> impossible, but quite difficult for someone to do without making any
> "noise" that we would be alerted on.  At that point the access lists on
> the AP's keep you from really touching any of the gear that would hurt us.
>
> All that being said there are million of exploits out there and lots of
> tools, but we feel that we have a fairly good system in place to deter
> all but the very skilled and very determined person out there.
>
> Hope that provides a bit of info you were looking for. Feel free to ask
> any ?'s if you have any.
>
> Mike Balasko
> Network Specialist II
> City of Henderson
>
> it clown wrote:
> >Is there a way to see who is connected to your network.
> >
> >Say if you have a wireless network and you need to know if
> >someone got it right to get onto your network.
> >
> >How do you monitor that and how do you prevent it?
> >
> >Even on a normal network how could you monitor who is
> >connected to your network?
> >
> >Regards
> >_____________________________________________________________________
> >For super low premiums, click here http://www.dialdirect.co.za/quote