Last Updated: 2012-09-07 14:24:46 UTC
by Chris Mohan (Version: 1)
A plethora of technologies, bespoke systems and acronyms offer management offer protection against unauthorised devices being connected to networks, but money, time, effort and management backing is needed to make this a reality. Imagine company X's policy is only authorized, company-approved computers can be connected and all violations have to be logged and reported or the auditors will be very unhappy. And no-one like to see sad auditors. But there’s no budget. So what’s a poor security admin to do? Well here's a suggestion.
Dynamic Host Configuration Protocol (DHCP) ubiquitous to most networks, making connectivity to the network only an Ethernet cable away*. For those with an eye on security, DHCP logs are a gold mine.
On gaining a DHCP lease the IP address assigned to the system and that IP address, the expiry time, the system’s hostname and Media Access Control address (MAC address) get stored in the DHCP database. So let’s look a couple of ways to turn these pieces of data in to security gold, remember our goal is to detect and alert on non-company approved systems being plugged in to the network.
The first step is to get access and a copy of the DHCP logs (or direct access to the DHCP database), so the data can be parsed and sorted into a format that can be dropped in to a script to automate the detection process. Most company networks are hopefully built using decent naming conventions and using only a couple of vendor’s computing hardware. This means by using some simple scripting, detecting those anomalies to the company standards should be a breeze. To clarify this:
Companies tend to have a naming standard for their machines to make inventories, auditing and identifying manageable. Some example machines names: a00001, XYZ1234 and so on. Hostnames of JamesMegaLappy, SkyRocket and haz0r don’t fit that naming standard and a basic regular expression  check against the naming standard will be able to pick this up instantly.
IEEE assigns an Organizationally Unique Identifier (OUI)  to each company manufacturing Ethernet devices. The company must use its own OUI  for the first three bytes of MAC addresses for equipment it produces. For example, the OUI of MAC address 00:06:5B:32:12:A0 is 00065B. For this example, company X uses two brands of computer hardware OIDs 00065B and 0001E6. A scripted task can run through the DHCP logs to pick out any MAC addresses that don’t start with these OIDs.A script running hourly against the
A script reading DHCP logs detecting either a non-standard hostname or OID and sending an email alert is quick, easy to implement and an effective detection method to find those non-company approved systems. Using the expiry time entry to confirm when the device got its IP address, it provides a time frame of someone adding a device to the network, so local staff looking for the unauthorized system have a starting point to ask questions.
This isn’t fool proof as it is trivial to change both the hostname and MAC address to blend in, but it’s highly effective against the majority of devices being plugged in to networks by those uncomprehending of the company’s polices or those acting maliciously.
For those who like to take the offensive defence approach on their networks against policy violations, the offending MAC address can be added as a DHCP reservation with DHCP scope options that point the default gateway and DNS server to, say 127.0.01. This is limits what the offending device can connect to the next time it renews it DHCP lease or requests a new IP address.
Join Ashley Deuble for MGT 414: SANS® +S™ Training Program for the CISSP® Certification Exam in Brisbane, Australia
* DHCP leases can be offered to wirelessly as well but that would have broken my flow.
Chris Mohan --- Internet Storm Center Handler on Duty