Could be 802.1X an alternative? Probably hard to deploy, switches andwireless
AP with the feature and some OS challenges but it may be asolution.
-tlecu
On 09/03/06, Ron Gula <rgula@tenablesecurity.com> wrote:> At 05:15 AM 3/6/2006,
Mircea MITU wrote:> >On Thu, 2006-03-02 at 23:47 +0000,
dhamm@jackofallgames.com wrote:> > > Is there a way to setup a scan and be
notified of an intruding pc that> > > is physically plugged into the network?>
Sure, use arpwatch.>> Actually, this will find "new" hosts all the time
with little> discrimination between a new valid laptop on the LAN and a>
visiting consultant in the conference room.>> A lot of SIMs have the ability to
process log files (such as> those of arpwatch or the dhcp logs of a Windows
server) and> identity the MAC address. If you can recognize a "new" MAC>
address and also associate it with something interesting like> "the conference
room" or "the server farm" you can specify> different levels of alerting or
logging. An example of this> is here in one of Tenable's TASL event correlation
rules:>> http://cgi.tenablesecurity.com/tasl/new_mac.tasl>> The particular
script is simple in that it just alerts on> a new MAC addr. Different scripts
could consume output of> this script and have 2nd order alerts depending on
the> location of the IP address issued, the type of MAC, .etc.>> Ron Gula, CTO>
Tenable Network Security>>>>>
------------------------------------------------------------------------> Test
Your IDS>> Is your IDS deployed correctly?> Find out quickly and easily by
testing it> with real-world attacks from CORE IMPACT.> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708> to learn
more.>
------------------------------------------------------------------------>>
