Dave,
Does anyone know of a Linux utility that can watch the MAC address
tables in Cisco switches and alert admins as to when a new device has
been plugged in?
I don't work with Cisco switches too much, however you may be able to
configure it to send an snmp alert to your Linux box when a new device is
plugged in. You'd then use snmp-util (or whatever it's called these days) to
handle the message on the Linux side.
Alternatively you can set up arpwatch on your Linux box and periodically ping
your whole range of IPs. Arpwatch will alert you when it sees new or changed
MAC addresses for those IPs.
Basically, we have your standard client network with DHCP. Internet
access is restricted to authenticated users, and so are the file shares.
However, we've had a few instances where people just plug in their
personal laptops which makes me very worried...
Okay, then a couple other things you might want to consider:
1. If it is a managed switch, you should be able to configure it to only
allow MACs on a given list, hence preventing new boxes from even getting a
layer 2 connection.
2. Set up the dhcp server to only allocate IPs to certain MAC addresses.
3. You should be able to get dhcpd to report to you when it allocates to a
previously unseen MAC address (probably by throwing together some scripts to
parse the log messages and comparing the MACs in them to a list).
Of course, all of the above are assuming that someone isn't spoofing their
MAC address to one that you allow on your network. Typically someone has to
be deliberately malicious to do that though, so the above strategies
(especially blocking based on MAC) are good for stopping people from
connecting up their personal laptop and infecting the network with the worm
du jure. The best prevention against MAC spoofing is to trust your users.
Hope this helps,
Terry
