[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] how to bypass rogue machine detection techniques

To: <gkverma@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] how to bypass rogue machine detection techniques
From: <amrnems@xxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 05:45:07 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Great physical access is a must when dealing with rogue devices on
a physical network.  But using 802.1x, and disabling the unused
ports would probably be your best answer.  If you just implement
802.1x or as you first mentioned, some kind of port scanning, then
you would never be able to detect a person with a ?receive? only
cable connected to you switch.

AmRnEmS


- -----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Gaurav Kumar
Sent: Monday, July 11, 2005 4:59 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] how to bypass rouge machine detection
techniques

Friends,

There are several techniques available for detecting rouge (not
being a member of trusted domain) machines, such as active
scanning, active directory querying etc, but I guess most powerful
being the one used by epolicy orchestrator. Its agents (deployed on
each subnet) checks for L2 broadcasts like Arp broadcast etc. After
detecting a broadcast, it used the mac address and ip address to
proceed further to detect whether the machine is rouge or not.

http://www.networkassociates.com/us/local_content/white_papers/wp_ep
o3_5_rsdwhitepaper_july2004.pdf

I was wondering if this approach is foolproof and can be safely
deployed or if there is a way to bypass it?

Regards,
Gaurav
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkLTu1MACgkQcExBwOFdkZGK+wCeNKxnA/QoMt97JGLNUcYfvJe5gdgA
n081SOqPudl7p9eZnW1t9liwdpi+
=eNjB
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Possible security issue with FreeBSD 5.4 jailing and BPF
Next by Date: Re: [Full-disclosure] Possible security issue with FreeBSD 5.4 jailing and BPF
Previous by thread: [Full-disclosure] Telefonica Moviestar - any security issues?
Next by thread: RE: [Full-disclosure] how to bypass rogue machine detection techniques
Index(es):
- Date
- Thread