cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
0
Helpful
17
Replies

Interesting Switching Question....

atbreen14217
Level 1
Level 1

All,

I have had an interesting situation posed to me, and I wanted to reach out to the community for some advice and/or to touch into everyone's knowledge and experience.

My company has a customer, who is a hospital. The hospital is using DHCP throughout their environment for their PCs. The hospital has not implemented any wireless products in their network. One of their doctors brought in a Linksys Wireless Router, plugged it into the LAN port in his office, and is using that wireless router so that he can walk around the hospital with his laptop and still be on the network. The hospital, as I'm sure you can imagine, is pretty upset with this, as it poses a security breach on the network. They realize that the wireless router belongs to the doctor, and that he's likely not going to remove the device from the network, nor implement any security features on the router (i.e. SSID / Encryption). From what I'm told, this is a dilemma that the hospital wants to close down as quickly as possible, and that the hospital wants to avoid this from becoming a "political issue" with the doctor.

When I was asked about my opinion on the issue, my only thought was that the hospital should enable port security on the switches, and essentially hard-code each PC's MAC address (either through programming the individual MAC address, or making the MAC address "sticky" to an individual port) to the switch, also making sure that the port is shut down if the MAC address is different than what is recorded in the MAC address tables. The hospital isn't thinking of installing wireless access points into the network as of yet, as it doesn't sound like they are ready for implementing that technology into their network. They don't feel that they can enforce a directive to the doctor to remove the wireless device from the network, and they don't feel that they could persuade the doctor to enable the security features on the wireless router.

I told my salesperson that doing the switch programming may take some time, and will likely cause a lot of work for the IT staff at the hospital. I guess I'm looking for any other information that might make this situation either easier to implement, or might be comparable to doing all of the switch programming for all of the individual ports. Any thoughts/ideas would be appreciated.

Thanks in advance!

Aaron

17 Replies 17

valstan
Level 1
Level 1

You could use 802.1X with a central RADIUS instead hard-coding each MAC in to the switches. But you still need to put all MACs into the RADIUS and the comercial software may cost few thousand dollars. Another option is to use:

http://www.freeradius.org/

kschleppenbach
Level 4
Level 4

I don't think you can lock it down by MAC. The device the doc attatched is a router. The routers MAC is the one that your switch will see, regardless of how many PCs are wirelessly attatched to the Linksys.

> They don't feel that they can enforce a directive to the doctor to remove the wireless device from the network

Attaching an unauthorised device to the network must break their AUP. I take it they /do/ have an AUP ??

Adding port security will certainly put pressure on the IT dept to manage the port lockouts as well as annoying affected users. However, it could well highlight other, currently unknown, security breaches.

It depends on the ratio of active ports to IT staff. It may be they have a month of pain following the introduction of port security but with little subsequent impact.

Do they have any kind of network management/monitoring ?

Something which caught the syslog or snmp trap generated by a lockout as it happened and then alerted the IT staff would make for a better customer experience than waiting for the user to report their network connection has failed.

Adrian.

Hi,

I fully agree with you and implement your solution.

But with immediate effect I will suggest one or more to be done with immediate effect to avoid any disaster to the Hospital IT systems:-

1 find out wht is the mac address of WAP and the put a static reservation with an incorrect IP address on your DHCP serevr. The DHCP will issue incorrect IP and should cause break in the communication link.

2 Access the WAP via web interface, it is more likely no security and default login/passwords. make config changes into in such a way, that it should never establish connection unless re-configured. Then change its passwords so no one can troubleshoot it unless re-set to default.

3 On your Switch where WAP is connected. map a static ARP to incorrect IP address with the MAC address you have recorded in Step 1. This should help...

4 Put an incorrect static route statement on the IP Router for that particular IP address (which belongs to WAP), so WAP will never be able to reach any other networks.

5 configure port security on that port where WAP is connected with an incorrect mac address, incorrect speed, incorrect duplex and very low bandwidth if possible.......

There may be many other things which can be done. But one of you should take a step immediately to save the hospital IT before something happens.

HTH

Shaheen

Everyone has brought up some valid points. From what I'm being told, this is an unauthorized piece of equipment on the hospital network. However, due to "political concerns", they aren't going to directly pull the device from the doctor's office (it is the doctor's own personal device, and not the hospitals). I'm going to make an assumption that the hospital's IT staff does not have a network monitoring system in place, and is likely reviewing network issues in a purely reactive manner, thus the nature of the issue.

I've been doing some additional research, and came up an intriguing issue. I know that the wireless router will have it's own MAC address, as will the laptop. The question is whether the customer's LAN switch will see both sets of MAC addresses (one from the router, one from the laptop) when the LAN switch's MAC address tables are updated. I would think that, if all MAC addresses can be seen by the LAN switch coming off the WAP, then the switchport security command should be able to shut down any communication from the laptop (or any other devices attached to the WAP). I guess the real question is, when the WAP communicates to the switch, what exactly is being communicated. If the LAN switch only sees the MAC address of the WAP, and the MAC addresses of all the devices behind the WAP are hidden from the LAN switch's view, then implementing switchport security is going to be fairly involved on their end.

Any other thoughts I should investigate? Thanks!

Aaron

Aaron,

That is what I poorly tried to explain in my first post. The switch is only going to see the Linksys MAC as it is a router. It will have the IP address handed out by DHCP. Any number of devices (not just PCs but who knows what else) connected (wireless or wired) to the Linksys are transparent to the switch. I think the best solution offered (aside from the obvious pull the plug on the rogue device)was to try to connect to the Linksys and apply security to it.

I was kicking this around thinking about what happens at L2 on a router, and it makes sense. I'm guessing that the IT folks at the hospital will have to hard-code all of the MAC addresses onto individual switch ports in order to really resolve the issue.

Thanks for your input. I appreciate it!

Aaron

Although this doesn't really 'prevent' the user from hard coding an IP, we get around this, in some respects, by doing DHCP reservations for all of our devices. This can be daunting as a start up project, but, once it is in place, it is quite effective. A user would have to 'guess' at an IP to use in order to connect a device like an AP. It is not a perfect security solution, but it does stop joe blow user from plugging in an AP.

As far as scalibility, we manage about 12K devices in this manner.

Also, if i am not mistaken, I think the LinkSys actually may use more than 1 Mac to communicate with the switch. I think I have tested this before, so if you use the port-security feature, and limit it to 1 mac address, this may elminiate the problem. We limit our ports to 1 mac address, and have a timeout of 1 minute. This has certainly stopped hubs/switches appearing on the network. . . and like I said, I think in our tests it actually did stop rouge AP's. We don't worry about this too much because we are using the WiSM to manage our Wireless infrastructure. The WiSM will detect rogue Ap's for us.

This is all in a hospital envrionment also.

-ross

About the mac addresses. If that WiFi "router" is not connected in "router" mode - i.e. If he connected it to one of wifi device's local interfaces, than the device operates in L2 mode.

In L2 mode, switch WILL see all of the MAC addresses behind the port, including all wireless subscribers.

This guy seems untouchable. I don't suppose his name is Gregory House by any chance ;-)

Adrian.

vleonard
Level 1
Level 1

It just sounds like the Hospital Admin wants IT to be the "Bad Guy" and do their work. If the hospital policies are clear, then they need to do something. It is common for a business to want thing blocked or have people go out of the way to stop things, when someone just needs to tell the person to stop.

I work for a large County and we have to deal with the politics of elected officials, from clerks to Judges. As hard as some appear to be to work with, it is rare that just talking to the person and explaining the issue will get it resolved.

Other than the suggestions offered, if there is not security on the Linksys, just login, set a password and disable the wireless. I assume from your post that you are not an employee of the hospital so make sure the the Hospital give you something in writing that the Linksys is not authorized to be connected to their network.

mark.j.hodge
Level 3
Level 3

Aaron,

Fundimentaly this is an adminastrative issue, if the user is running an unauthorised network he/she should be told to stop. As it is a medical environement mentioning that there may be a breach of patient confinetiality which would not be covered by hospital insurance liability may be an additioanl prompt.

If you need to address this technicaly, there are a number options, some of which have already been mentioned. It depends upon how the Wireles device works and how much of a BOFH you want to be.

If the device acts as a layer2 bridge, there will be multiple MAC addresses on the switch port. Implementing port-security would address thixs, you don't need to be too brutal, just restricting the port to a single MAC address, with aging so people can move devices, would do it. This is generaly good practice so could easily be covered under normal business enhancements.

If the device is a Layer3 router, you might be able to null route the subnet he is using. This is more targeted and will not work if the router uses NAT.

The most vicious option would be to place another access point in the same area, with the same SSID and channel settings, but with no network access. The Laptop would associate randomly between the two AP's so sometimes it would work, and sometimes not. This would be very difficult to figure out for a normal user, but is very anti-social.

One other thing has occured to me, but this is very nasty and may not be appropriate for a hospital. You could make use of some "hacker" tools, and run a program which repeatedly deassociates the laptop from the access point. This is running a targeted Denial Of Service attack, or you could spin it and call it "Targeted Active Defence"

I have never used any such tools but a quick google has found one called Void11

http://www.wirelessdefence.org/Contents/Void11Main.htm

Or you might better get someone's attention by capturing some of the clear text wireless traffic and then asking if anybody has heard of HIPPA or Sarbanes-Oxley or the like.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: