Become a fan of Slashdot on Facebook


Forgot your password?
Wireless Networking

Submission + - SysAdmin 9

MyLongNickName writes: Dear Slashdot Community, I am an IT administrator for a major city on the West Coast. For security reasons I cannot name the city. However, I find that I have a rogue device on our network. I cannot find any information in my MCSE bootcamp journal on how to handle this. If you were in my position, what would you do to find the physical location of such a rogue device, and how can I disable it? Thank You, Anonymous.
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.


Comments Filter:
  • I hear theres ALOT of talent in the bay area... I use to live there...
    • by deniable ( 76198 )

      I know of one guy out there who's between jobs right now. He comes highly recommended. Terry something.

  • Kill switches to see which way to go, repeat til you find it :)

  • Hello, paper MCSE! (Score:3, Insightful)

    by kimvette ( 919543 ) on Thursday September 11, 2008 @02:23PM (#24967219) Homepage Journal

    Let me introduce you to logic and troubleshooting.

    You have a large network, right? Break it down into segments, letting all affected offices know there will be disruptives but it's a necessary outage due to security concerns.

    Next, put a port on your switche(s) into promiscuous mode or break down the network further into smaller segments by inserting a passive hub into that segment (between the segment and the switch or bridge) and run wireshark on it.

    Take note of the offending requests, view the packets and note the MAC address. Look up the MAC address because the beginning part of the MAC address indicates the manufacturer of the networking device, which can help pinpoint it. Note: sophisticated breaches often spoof mac addresses.

    If you cannot identify device by the MAC address or if you suspect the MAC address is being spoofed, it's a process of elimination. It's going to be a manual process: break down the network into smaller and smaller segments until you identify the device. In your case, there may be leased lines (dark fiber, alarm loops, ISDN etc.) so you may need to get ISPs involved to shut down connections to isolate it. Once you identify that the breach is sequestered you have a general idea of where it is.

    Now ends the serious part of this post, and begins the obligatory snarky rant against Windows ;)

    Oh, and if the rogue device is Windows-based: serves them right for not choosing a more secure OS to run the infrastructure. We at Slashdot recommend Linux, BSD, Mac OS X, or any OS which is not Windows. You would have saved the taxpayers many thousands of dollars in the process, by choosing a less costly OS which at the same time is far more secure and did not create this breach.

    • Oh, and I forgot to mention: once you learn how to diagnose and isolate problems such as this, you're no longer what we refer to as a "paper-MCSE" but well on your way toward becoming a qualified sysadmin/network engineer.

      • Thank you for taking this seriously. I posted this as a joke for this [] article. I posted this [] as a joke response, pointing back to this Ask Slashdot.

        Seeing how seriously you took this obvious joke made me giggle for about 5 minutes. What made it all the more funny was how you are looking down at someone else while simultaneously making yourself look not-too-sharp. Thanks!

    • Whooooooosh!

I'm a Lisp variable -- bind me!