>
>What if you tracked changes in your routers arp cache to identinfy new
>devices added to your network and actively checked each one with cpm or
>promisc ?
>
What if it's an NT box? What if it's a DOS box? What if it's running
OS/2?
What if it has the transmit pairs cut?
way way too many ways around it. Physical inspection is the only completely
100% way.
It's also fairly easy to change the hardware address of a NIC to anything
you want it to be (this is required for protocols like Decnet). You can
pretend to be any machine. If a machine drops off the net for a second
and then comes back. Are you likely to think it's a hacker that has
assummed the identity of some PC? Of course not, but it is possible.
It all depends on how much time you want to spend fighting this sort of thing.
The best defense are switched or secure hubs so that promiscuous mode
doesn't buy the person much. THey can only see traffic destined for that
port. If you go further and use link-level encryption, even if they can
see traffic, they won't be able to understand it.
cpm/promisc might be enough to inhibit script-kiddies on a homogenous unix network
of some sort. Personally, I'd rather spend a few more dollars for a better
hub.
--
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug @
eng .
auburn .
edu
References:
|
|
