Full Disclosure mailing list archives
RE: how to bypass rogue machine detection techniques
From: <amrnems () hushmail com>
Date: Tue, 12 Jul 2005 05:45:07 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Great physical access is a must when dealing with rogue devices on a physical network. But using 802.1x, and disabling the unused ports would probably be your best answer. If you just implement 802.1x or as you first mentioned, some kind of port scanning, then you would never be able to detect a person with a receive only cable connected to you switch. AmRnEmS - -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Gaurav Kumar Sent: Monday, July 11, 2005 4:59 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] how to bypass rouge machine detection techniques Friends, There are several techniques available for detecting rouge (not being a member of trusted domain) machines, such as active scanning, active directory querying etc, but I guess most powerful being the one used by epolicy orchestrator. Its agents (deployed on each subnet) checks for L2 broadcasts like Arp broadcast etc. After detecting a broadcast, it used the mac address and ip address to proceed further to detect whether the machine is rouge or not. http://www.networkassociates.com/us/local_content/white_papers/wp_ep o3_5_rsdwhitepaper_july2004.pdf I was wondering if this approach is foolproof and can be safely deployed or if there is a way to bypass it? Regards, Gaurav _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkLTu1MACgkQcExBwOFdkZGK+wCeNKxnA/QoMt97JGLNUcYfvJe5gdgA n081SOqPudl7p9eZnW1t9liwdpi+ =eNjB -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: how to bypass rogue machine detection techniques amrnems (Jul 12)
- <Possible follow-ups>
- RE: how to bypass rogue machine detection techniques Marek Isalski (Jul 13)