Rogue LAN device: I'm stumped - TechRepublic
Question
October 2, 2009 at 11:27 AM
robo_dev

Rogue LAN device: I’m stumped

by robo_dev . Updated 16 years, 9 months ago

This is a medium sized LAN, about 1,500 nodes on ten floors of a building, all Cisco gear. Network is mostly flat, except for a handful of VLANs.

Cisco port security is enabled on each port. Only the assigned mac address can connect to a switch port, except that conference rooms get assigned a list of mac addresses. Only company PCs are allowed on the lan, no exceptions.

Regular sweeps are performed to ensure that there is no WLAN here and the Disknet LAN security tool disables WLAN and bluetooth interfaces on all laptops (as well as USB jump drives, CD-ROMs, DVDs, floppys, ipods, etc).

With Cisco port security, a WLAN AP or router would not work, since the port would get disabled when the rogue AP or router was plugged into the network, since the mac address would be wrong.

When running a Wireshark trace from a switched port on the main VLAN, I noticed three workstations that appear to be Sony laptops (by their OUID) that I could see are sending TCP packets and doing Netbios queries from an IP address that is not part of the network, and a mac address which is also not on the ACL for any of the switches.

The ip address range for the main network is 135.x.x.x, vlans are 10.x and 192.x.

This rogue device is a 12.x.x.x address. (IP space registered to AT&T). I tried setting my workstation to a 12.x address, tried nmapping the rogue device, but no joy. I can see some netbios info, but the workgroup name is ‘workgroup’ and the netbios name that is being queried is something I never heard of “COANT4.VICP.NET” (this is a NetBios name, query, not DNS).

At this point I’m stumped. My guesses are:

a) a rogue laptop, like a contractor, is somehow plugged into a port that somehow has security turned off. Note that firewall rules would not give this device internet access, since that is granted explicitly from firewall rules.

b) Several misconfigured laptops are somehow bridging it’s WLAN or Cellular-modem to the ethernet interface.

c) same as above, but one misconfigured laptop, bridging it’s wlan interface to the ethernet interface, and the multiple rogue IP addresses are WLAN clients on a remote wireless LAN.

Next stop is to walk the building to look for Sony laptops.

This discussion is locked

All Comments