Windows: Easy MAC address spoofing

While testing out the different NAC solutions, I wanted to see how they would handle a connection where the MAC address that was previously associated with a printer was suddenly associated with a PC. The NIC in my laptop allows me to manually change the MAC address in the NIC properties. That works but I wanted an easier way to make the changes. The solution ended up being a freeware program called Technitium MAC Address Changer.

Some of the features of Technitium MAC Address Changer include:

I’m using it tomorrow to test a Cisco NAC we have on loan. The MAC address I’m going to try is currently associated with a Cisco IP phone. According to the Cisco reps, the NAC should detect that the MAC address is being used by a different system and drop me into the quarantine role. That’s just one of a few features they said works but weren’t able to demo during the initial setup.

Men will always be mad, and those who think they can cure them are the maddest of all. - Voltaire

25.Sep.07 Networking, Software, Windows Comments (4)

Cisco conference call

I had a conference call at work today with a couple of Cisco sales reps. The point of the conference call was to discuss the Cisco NAC evaluation taking place later this week. The conference call took place using WebEx. It was a little strange using WebEx for a phone conference call. Everyone where I work that was also involved in the call, as well as myself, thought that the Cisco reps were going to do a video demonstration but they didn’t.

The Cisco reps wanted to nail down a few details before the evaluation took place. The main points discussed were what we were looking for, how our network is currently set up and what we hoped to gain using the Cisco NAC. I’m really looking forward to checking out their system.

One big highlight that came out of the meeting was that I’m getting a chance to attend a Cisco CCNA boot camp for free. The CCNA training will be held at a local Cisco office. They are still trying to nail down the exact dates for the week long training. Once they get that, someone from the Cisco office is going to email me. A $2300 training course for free? I’ll take that in a heart beat.

Pain is inevitable. Suffering is optional. - M. Kathleen Casey

10.Sep.07 Certifications, Networking, Security Comments (4)

Trend Micro’s NAC needs some work

For the last week, I’ve been testing out a Network VirusWall Enforcer from Trend Micro. I’ve only found one thing about it that really impresses me. That would be the number of antivirus programs, 63 at this time, it supports. Other than that, I am really disappointed in it.

The main reason I requested the demo is because we use Trend Micro OfficeScan on all of our Windows servers and workstations. We use Trend Micro Control Manager 3.5 and were told it could control the VirusWall NAC. That was the first surprise of the demo. Out of the two units, one 1200 and the other a 2500, only the 2500 could be managed via TMCM. The 1200 had to be managed through the console or by connecting to the admin web page running on the appliance.

The sales guy called his boss and was told that the 1200 was about to be marked EoL so it would not be supported in TMCM 3.5. Nice. I just wish that was the only problem with the whole setup.

Here is a quick rundown of other problems I have with the Trend Micro NAC:

There may also be a problem with the device that I am awaiting a response from Trend about. It involves a hole in how devices may be able to gain network access even after failing policy compliance checks. I emailed the info (issue & steps to reproduce) to my Trend Micro contacts. Hopefully, I’ll hear something soon.

Great minds have purposes, others have wishes. - Washington Irving

29.Aug.07 Networking, Security Comments (0)

Finding a NAC solution

This week has been very busy. I had four meetings that took up almost four full days. The meetings were with vendors to check out their offerings in NAC systems. Friday was spent discussing pros and cons of each system and trying to decide which one would meet our needs and budget. I feel the decision has come down to two NAC vendors: Infoblox and Enterasys.

From a “what they can do” stand point, the Enterasys system wins hands down. Enterasys appliances will actually work at the port level of the switches in order to limit a computer or users ports, speed and access. We liked that it would work with or without the client software installed. With the client installed, we would have the ability to fully scan systems even if they are not part of the domain. Without the client, systems not on the domain could block scans. We would just leave systems in quarantine limbo (i.e. no network connection) if the scan fails.

Out of the box, Enterasys works with many different antivirus programs and operating systems as part of the system compliance check (OS patches, installed programs, AV updates, etc.). The system also allows you to set QoS and bandwidth throttles based on MAC address, IP address or client login. IT department = full throttle, everyone else = 20%.

The Infoblox appliance runs a hardened Linux OS that has built-in DHCP, DNS, RADIUS, TFTP and NTP services. All of the services don’t have to be enabled, only the ones you wish to utilize. The Enterasys system supports RADIUS but only as a proxy/pass-through. We could use these appliances to offload DHCP and DNS from the domain servers at each location. RADIUS is not currently implemented on our network yet but it is wanted for an extra layer of wired/wireless authentication. It was simple to import the DNS and DHCP setup from a Windows 2000/2003 server into the Infoblox appliance. Configuration of all appliances (local and remote) is easily handled through a single admin GUI based on Java. No client is required but, just like with Enterasys, this can limit scanning abilities.

Unfortunately, the Infoblox system only works with McAfee antivirus out of the box. They can make it work with other vendors but only if there is an API for the software to allow compliance checks. Also, OS patch checking is performed using BigFix. The vendor said they can make it work with the available Windows Update Agent API so that it will work with our local WSUS server.

I think we will be going with the Infoblox solution. Even though Enterasys does so much more, cost of implementation will probably be the downfall. All of our remote locations have a managed switch with many unmanaged (dumb) switches connected to it. To fully use all of the Enterasys features, we would need to swap out all or most of the unmanaged switches. The cost to do that, and to purchase the Enterasys system, will easily exceed $700,000. The Infoblox systems will cost around $200,000 to fully implement and handles our main needs plus a little more for later use. I would go with Enterasys if I was in charge of picking a solution for a new business setup, an established network that was smaller or had a much larger budget.

Here are the links to the literature page for each company. They both have quite a bit of info on case studies, white papers, fact sheets, product info, etc.

Infoblox
Enterasys

The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy. - Martin Luther King, Jr.

01.Jul.07 Networking, Security Comments (0)

Easy remote assistance

I received a call from a friend this weekend asking for help with some Windows errors. He did some searches online to find fixes but almost all of them involved editing the registry. This was something he wasn’t comfortable doing so he asked if I could help him with it. I wasn’t doing anything at the time so I helped him out.

Before driving an hour to his house, I asked if he was able to connect to the Internet. He said he could so I had him download Crossloop. Crossloop uses TightVNC to allow remote control of the host PC. The communications are secured using 128-bit Blowfish encryption. I had him use this instead of a normal VNC install because Crossloop doesn’t require you to configure port forwarding on the router. More info on how it works can be found here.

My friend installed the program, started it up and connected the host session. He then gave me his 12-digit access code so I could join the session. In about 5 seconds, I had his desktop on my screen. We were able to fix his problem after correcting a couple of registry keys and rebooting the system. I told him he could uninstall CrossLoop since it is a small download that it would be quick to get again. He said he’d wait a few days just in case he needed me to help again soon.

One note about CrossLoop. It does work kind of like Hamachi in that the initial connection is made through a relay server. Once the connection is established, the session is supposed to get passed to a direct P2P connection from the Host and Client (no relay server). CrossLoop’s site does state that this does not always work because a router may be blocking UDP packets. If this happens, all communication is made through the CrossLoop relay server. The traffic is still encrypted but passing the data through the relay may be a concern.

It’s easy to make a buck. It’s a lot tougher to make a difference. - Tom Brokaw

21.May.07 Networking Comments (6)

« Previous Entries
Next Entries »