Detecting Rogue machines on client subnets

May 6th, 2004

Comments: 0
Category: Vulnerability Management

Detecting Rogue machines on client subnets

A little while back, I was giving some thought as to how to mitigate the risk of rogue DHCP servers on internal networks.
The risk, briefly, is that if someone can get their rogue DHCP server to hand out an address faster than the real one, then they can control things like the default gateway and DNS server of client PC’s. Once they’ve set that up they can sniff any and all traffic that goes by and also modify traffic if required.
One of the standard technological controls for stopping people putting rogue devices on a network, static MAC address assignments on the switch ports, isn’t likely to be effective here as it would be very onerous to maintain that on client subnets… Likewise other ones like an IDS system aren’t likely to be deployed in what is perceived generally as “low risk” segments of the network…
So, an idea which might work (and it may already exist, I’d be interested to hear if it does) would be to have something like NMAP scanning round the subnets on a regular basis looking for new services coming online… all that would be needed is an interface for admins to define what to look for (eg, there should be only ports 137-139 and 445 on this subnet) and an alerting system… Would also help for detecting unauthorised web servers and the like in large corps…

Add a comment

Your email address will not be shared or published. Required fields are marked *