Interesting Switching Question....

Unanswered Question
Aug 9th, 2007

All,

I have had an interesting situation posed to me, and I wanted to reach out to the community for some advice and/or to touch into everyone's knowledge and experience.

My company has a customer, who is a hospital. The hospital is using DHCP throughout their environment for their PCs. The hospital has not implemented any wireless products in their network. One of their doctors brought in a Linksys Wireless Router, plugged it into the LAN port in his office, and is using that wireless router so that he can walk around the hospital with his laptop and still be on the network. The hospital, as I'm sure you can imagine, is pretty upset with this, as it poses a security breach on the network. They realize that the wireless router belongs to the doctor, and that he's likely not going to remove the device from the network, nor implement any security features on the router (i.e. SSID / Encryption). From what I'm told, this is a dilemma that the hospital wants to close down as quickly as possible, and that the hospital wants to avoid this from becoming a "political issue" with the doctor.

When I was asked about my opinion on the issue, my only thought was that the hospital should enable port security on the switches, and essentially hard-code each PC's MAC address (either through programming the individual MAC address, or making the MAC address "sticky" to an individual port) to the switch, also making sure that the port is shut down if the MAC address is different than what is recorded in the MAC address tables. The hospital isn't thinking of installing wireless access points into the network as of yet, as it doesn't sound like they are ready for implementing that technology into their network. They don't feel that they can enforce a directive to the doctor to remove the wireless device from the network, and they don't feel that they could persuade the doctor to enable the security features on the wireless router.

I told my salesperson that doing the switch programming may take some time, and will likely cause a lot of work for the IT staff at the hospital. I guess I'm looking for any other information that might make this situation either easier to implement, or might be comparable to doing all of the switch programming for all of the individual ports. Any thoughts/ideas would be appreciated.

Thanks in advance!

Aaron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
valstan Thu, 08/09/2007 - 06:55

You could use 802.1X with a central RADIUS instead hard-coding each MAC in to the switches. But you still need to put all MACs into the RADIUS and the comercial software may cost few thousand dollars. Another option is to use:

http://www.freeradius.org/

kschleppenbach Thu, 08/09/2007 - 07:08

I don't think you can lock it down by MAC. The device the doc attatched is a router. The routers MAC is the one that your switch will see, regardless of how many PCs are wirelessly attatched to the Linksys.

adrian.jg.harris Thu, 08/09/2007 - 07:17

> They don't feel that they can enforce a directive to the doctor to remove the wireless device from the network

Attaching an unauthorised device to the network must break their AUP. I take it they /do/ have an AUP ??

Adding port security will certainly put pressure on the IT dept to manage the port lockouts as well as annoying affected users. However, it could well highlight other, currently unknown, security breaches.

It depends on the ratio of active ports to IT staff. It may be they have a month of pain following the introduction of port security but with little subsequent impact.

Do they have any kind of network management/monitoring ?

Something which caught the syslog or snmp trap generated by a lockout as it happened and then alerted the IT staff would make for a better customer experience than waiting for the user to report their network connection has failed.

Adrian.

MUHAMMAD SHAHEEN Thu, 08/09/2007 - 07:25

Hi,

I fully agree with you and implement your solution.

But with immediate effect I will suggest one or more to be done with immediate effect to avoid any disaster to the Hospital IT systems:-

1 find out wht is the mac address of WAP and the put a static reservation with an incorrect IP address on your DHCP serevr. The DHCP will issue incorrect IP and should cause break in the communication link.

2 Access the WAP via web interface, it is more likely no security and default login/passwords. make config changes into in such a way, that it should never establish connection unless re-configured. Then change its passwords so no one can troubleshoot it unless re-set to default.

3 On your Switch where WAP is connected. map a static ARP to incorrect IP address with the MAC address you have recorded in Step 1. This should help...

4 Put an incorrect static route statement on the IP Router for that particular IP address (which belongs to WAP), so WAP will never be able to reach any other networks.

5 configure port security on that port where WAP is connected with an incorrect mac address, incorrect speed, incorrect duplex and very low bandwidth if possible.......

There may be many other things which can be done. But one of you should take a step immediately to save the hospital IT before something happens.

HTH

Shaheen

atbreen14217 Thu, 08/09/2007 - 07:43

Everyone has brought up some valid points. From what I'm being told, this is an unauthorized piece of equipment on the hospital network. However, due to "political concerns", they aren't going to directly pull the device from the doctor's office (it is the doctor's own personal device, and not the hospitals). I'm going to make an assumption that the hospital's IT staff does not have a network monitoring system in place, and is likely reviewing network issues in a purely reactive manner, thus the nature of the issue.

I've been doing some additional research, and came up an intriguing issue. I know that the wireless router will have it's own MAC address, as will the laptop. The question is whether the customer's LAN switch will see both sets of MAC addresses (one from the router, one from the laptop) when the LAN switch's MAC address tables are updated. I would think that, if all MAC addresses can be seen by the LAN switch coming off the WAP, then the switchport security command should be able to shut down any communication from the laptop (or any other devices attached to the WAP). I guess the real question is, when the WAP communicates to the switch, what exactly is being communicated. If the LAN switch only sees the MAC address of the WAP, and the MAC addresses of all the devices behind the WAP are hidden from the LAN switch's view, then implementing switchport security is going to be fairly involved on their end.

Any other thoughts I should investigate? Thanks!

Aaron

kschleppenbach Thu, 08/09/2007 - 07:56

Aaron,

That is what I poorly tried to explain in my first post. The switch is only going to see the Linksys MAC as it is a router. It will have the IP address handed out by DHCP. Any number of devices (not just PCs but who knows what else) connected (wireless or wired) to the Linksys are transparent to the switch. I think the best solution offered (aside from the obvious pull the plug on the rogue device)was to try to connect to the Linksys and apply security to it.

atbreen14217 Thu, 08/09/2007 - 08:07

I was kicking this around thinking about what happens at L2 on a router, and it makes sense. I'm guessing that the IT folks at the hospital will have to hard-code all of the MAC addresses onto individual switch ports in order to really resolve the issue.

Thanks for your input. I appreciate it!

Aaron

ross.bagurdes Thu, 08/09/2007 - 08:34

Although this doesn't really 'prevent' the user from hard coding an IP, we get around this, in some respects, by doing DHCP reservations for all of our devices. This can be daunting as a start up project, but, once it is in place, it is quite effective. A user would have to 'guess' at an IP to use in order to connect a device like an AP. It is not a perfect security solution, but it does stop joe blow user from plugging in an AP.

As far as scalibility, we manage about 12K devices in this manner.

Also, if i am not mistaken, I think the LinkSys actually may use more than 1 Mac to communicate with the switch. I think I have tested this before, so if you use the port-security feature, and limit it to 1 mac address, this may elminiate the problem. We limit our ports to 1 mac address, and have a timeout of 1 minute. This has certainly stopped hubs/switches appearing on the network. . . and like I said, I think in our tests it actually did stop rouge AP's. We don't worry about this too much because we are using the WiSM to manage our Wireless infrastructure. The WiSM will detect rogue Ap's for us.

This is all in a hospital envrionment also.

-ross

Pavel Bykov Fri, 08/10/2007 - 04:17

About the mac addresses. If that WiFi "router" is not connected in "router" mode - i.e. If he connected it to one of wifi device's local interfaces, than the device operates in L2 mode.

In L2 mode, switch WILL see all of the MAC addresses behind the port, including all wireless subscribers.

adrian.jg.harris Fri, 08/10/2007 - 03:43

This guy seems untouchable. I don't suppose his name is Gregory House by any chance ;-)

Adrian.

vleonard Thu, 08/09/2007 - 08:17

It just sounds like the Hospital Admin wants IT to be the "Bad Guy" and do their work. If the hospital policies are clear, then they need to do something. It is common for a business to want thing blocked or have people go out of the way to stop things, when someone just needs to tell the person to stop.

I work for a large County and we have to deal with the politics of elected officials, from clerks to Judges. As hard as some appear to be to work with, it is rare that just talking to the person and explaining the issue will get it resolved.

Other than the suggestions offered, if there is not security on the Linksys, just login, set a password and disable the wireless. I assume from your post that you are not an employee of the hospital so make sure the the Hospital give you something in writing that the Linksys is not authorized to be connected to their network.

mark.j.hodge Thu, 08/09/2007 - 11:21

Aaron,

Fundimentaly this is an adminastrative issue, if the user is running an unauthorised network he/she should be told to stop. As it is a medical environement mentioning that there may be a breach of patient confinetiality which would not be covered by hospital insurance liability may be an additioanl prompt.

If you need to address this technicaly, there are a number options, some of which have already been mentioned. It depends upon how the Wireles device works and how much of a BOFH you want to be.

If the device acts as a layer2 bridge, there will be multiple MAC addresses on the switch port. Implementing port-security would address thixs, you don't need to be too brutal, just restricting the port to a single MAC address, with aging so people can move devices, would do it. This is generaly good practice so could easily be covered under normal business enhancements.

If the device is a Layer3 router, you might be able to null route the subnet he is using. This is more targeted and will not work if the router uses NAT.

The most vicious option would be to place another access point in the same area, with the same SSID and channel settings, but with no network access. The Laptop would associate randomly between the two AP's so sometimes it would work, and sometimes not. This would be very difficult to figure out for a normal user, but is very anti-social.

mark.j.hodge Thu, 08/09/2007 - 12:08

One other thing has occured to me, but this is very nasty and may not be appropriate for a hospital. You could make use of some "hacker" tools, and run a program which repeatedly deassociates the laptop from the access point. This is running a targeted Denial Of Service attack, or you could spin it and call it "Targeted Active Defence"

I have never used any such tools but a quick google has found one called Void11

http://www.wirelessdefence.org/Contents/Void11Main.htm

kschleppenbach Thu, 08/09/2007 - 12:18

Or you might better get someone's attention by capturing some of the clear text wireless traffic and then asking if anybody has heard of HIPPA or Sarbanes-Oxley or the like.

rossua994 Sun, 08/12/2007 - 07:09

With a MAC ACL configured on the hospital switch ports which the doctor can access, it would be possible to block all network access via the linksys router, so long as it was being used as a Layer 3 device, ie its internet port was connected to the hospital switch. For example create a MAC ACL named block-router and apply it to switch ports 1-24 on the local switch which the doctor accesses :-

Switch(config)#mac access-list extended block-router

Switch(config-ext-macl)#deny host xxxx.yyyy.zzzz any

Switch(config-ext-macl)#permit any any

Switch(config)#interface range fa 0/1-24

Switch(config-if)#mac access-group block-router in

(xxxx.yyyy.zzzz = router MAC address)

If the doctor is using the router purely as a layer 2 device the situation is more difficult. If the doctor's switch supports Spanning Tree Protocol this will be on by default and enabling PortFast and Cisco BPDU guard on the hospital switch ports will prevent access, as these features ensure only an end-user workstation can be connected to a switch port.

The Layer 3 solution may at least cause some disruption to the doctor (eg. someone go in and change the L2 connection to an L3 connection when he's not there), until someone figures out a good Layer 2 solution.

ross.bagurdes Sun, 08/12/2007 - 14:49

If I am not mistaken, I hear a lot of solutions that solve the problem of this one particular, special case of a doctor plugging in his LinkSys AP to the switch. this particluar problem is quite easy to solve. Just shut his port off!

As I understand it, the problem is more global. i.e. How does a network admin stop ANY user from doing this same thing the doctor is.

A policy is fine, but who will enforce it for all users? blocking the port is fine, but what will stop the user from plugging into a neighbors port? A mac address acl is fine, for blocking this particular doctor, but what will stop him from bringing in a different AP?

I think the problem that needs to be addressed is more global. Assuming that there is a policy that users may NOT bring in an AP and plug it into the network, the network admin must come up with a technical solution that enforces this policy, with the assumption that users will do it, and currently are doing it, with out the knolwedge of the Network Admin.

This is a tough case . . . . Short of NAC, 802.1x, or a Wireless solution that will block Rogue AP's the issue becomes more complicated.

I think dynamic port security is probably your best bet at this point, and have the port error disable when the Mac Address changes. Statically configing the Mac's on the switches is an administrative nightmare.

Even with the Dynamic Mac Address, it can be a problem, as a user will have to contact a network admin when their PC changes, or if they bring in a laptop. Plus you have to have some way to police what type of device is being plugged in, when a user does say that their Mac Address changed. This isn't too hard, as it is easy to look up the manufacturer of a NIC to determine if it is an AP or a NIC.

Knowing the MAC address on the network is a HUGE benefit, and is strictly why we use DHCP with Static IP assignment to MAC address.

-Ross

Actions

This Discussion