The problem with shutting down the port is that the user is likely to
move to another port, and then you have to wait for his machine to
start doing Bad Things again, and then shut him down yet again (same
concept with source-based remotely-triggered blackhole, or SRTBH),
and then when someone else plugs into the shutdown port(s), there's a
trouble-ticket generated.
It's certainly better than doing nothing at all, mind - but it's a
whack-a-mole type of deal.
On Feb 24, 2006, at 5:44 AM, Cojocea, Mike (IST) wrote:
then queries your DHCP server(s) for active leases with MAC adresses,
compares the MAC address to the switch's MAC table, then queries your
database/spreadsheet for jack number to switch port assignments and
updates the user object via an LDAP modify command.
Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps
the switch ARP/IP tables into a database which you can query using
CGI+Apache. I used it in a 10K host network and it helped me a lot.
Using Netdisco you can track down a MAC to a port and shut down the
port
in a couple of seconds.
Thanks,
Mike
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708
to learn more.
----------------------------------------------------------------------
--
----------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
