Could be 802.1X an alternative? Probably hard to deploy, switches and wireless AP with the feature and some OS challenges but it may be a solution.
-tlecu On 09/03/06, Ron Gula <[EMAIL PROTECTED]> wrote: > At 05:15 AM 3/6/2006, Mircea MITU wrote: > >On Thu, 2006-03-02 at 23:47 +0000, [EMAIL PROTECTED] wrote: > > > Is there a way to setup a scan and be notified of an intruding pc that > > > is physically plugged into the network? > > > >Sure, use arpwatch. > > Actually, this will find "new" hosts all the time with little > discrimination between a new valid laptop on the LAN and a > visiting consultant in the conference room. > > A lot of SIMs have the ability to process log files (such as > those of arpwatch or the dhcp logs of a Windows server) and > identity the MAC address. If you can recognize a "new" MAC > address and also associate it with something interesting like > "the conference room" or "the server farm" you can specify > different levels of alerting or logging. An example of this > is here in one of Tenable's TASL event correlation rules: > > http://cgi.tenablesecurity.com/tasl/new_mac.tasl > > The particular script is simple in that it just alerts on > a new MAC addr. Different scripts could consume output of > this script and have 2nd order alerts depending on the > location of the IP address issued, the type of MAC, .etc. > > Ron Gula, CTO > Tenable Network Security > > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > >
