We maintain a mysql database of the mac addresses of stolen devices. We use
this to generate a dns config file and use it like a DNS RBL. We use ISC's
dhcpd and send the logs to a central log server (syslog-ng). We use SEC to
monitor syslog entries in realtime. One of the rules in SEC gets the mac
address of every dhcpd query and does a dns query. If it is successful,
notification is sent to our security officer as well as me. We then use WCS to
find the exact location. We have recovered quite a few notebooks this way.
The problem is that most stolen devices are taken off campus and sold on ebay or
other online sites. What I would love to see is a central mysql database
containing the mac addresses of stolen notebooks from lots of schools. All
participating schools could then scan for all the stolen notebooks, not just
their own. I think this would lead to a much higher recovery rate for all of
us. There are probably legal issues with this concept, but it has potential.
On Wed, 9 Dec 2009, Lee H Badman wrote:
Date: Wed, 09 Dec 2009 17:49:55 -0500
From: Lee H Badman <[email protected]>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
<[email protected]>
To: [email protected]
Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Hi Todd-
I'd be curious to see what you have come up with- thanks.
-Lee
________________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[[email protected]] On Behalf Of Todd M. Hall
[[email protected]]
Sent: Wednesday, December 09, 2009 5:44 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We are using some home grown scripts that notify by sending text messages or
emails whenever a device shows up on the network. All open source and
notifications are usually within seconds of the device showing up. We get
the location information from Cisco WCS. This is also scalable to include
multiple campuses/schools. If anyone wants details of how we are doing this,
just let me know.
On Tue, 8 Dec 2009, Lee H Badman wrote:
Date: Tue, 08 Dec 2009 11:58:25 -0500
From: Lee H Badman <[email protected]>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
<[email protected]>
To: [email protected]
Subject: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Unfortunately, we experience the occasional theft of University-owned or personal
laptops. Using Cisco WCS, we can certainly find the last place a device was, if the
wireless adapter was on, before it egressed campus. What is missing is a mechanism to
"flag" a MAC address to alert on a client device if it pops back up on the
network so there may be an opportunity to react.
Has anyone else faced and conquered alerting on specific clients (for whatever
reason)?
Thanks-
Lee
Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
[email protected]
662-325-9311 (phone)
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
[email protected]
662-325-9311 (phone)
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
