On 2 Mar 2006 23:47:59 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Is there a way to setup a scan and be notified of an > intruding pc that is physically plugged into the network? > When you have an enviroment with a large amount of network > jacks, it's hard to make sure the ones no longer in use are turned > off, and that no "visitors" have sat down to use your network > connections, esp. if you have a large amount of contractors in and > out. It got me to searching the net, and so far I have found one > cemmercial product that can do it, but nothing else. Any suggestions?
Just one suggestion: Write a script that visits all of your switches/routers and gets their tables of pairs of ports and MAC addresses, then dump them into a database. Schedule it to do this periodically, say every 5-10 minutes. Kind of a roll-your-own distributed arpwatch, but it's what I'm doing by hand for our 6 48-port Cisco switches. Unfortunately, I don't have the scripting knowledge (Expect? PERL? Something else? SNMP, telnet or maybe some other query method?) to do this, though I know people have done it. And, of course, the obligatory plea to share if you have such a script. Kurt ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
