Friday, August 24, 2007

Arpwatch

To wrap up script week, I'd like to talk a little bit about arpwatch. Continuing on the theme of half-baked ideas, this was one that I was rather excited about as an entry level network engineer, but the complete lack of interest kinda took the wind out of my sails.

Here is the gist. From my experiences I've never seen the use of NAC, 802.1x, or even simple switch port security. I have to assume that many corporations remain blind to what devices are hard connecting to their local network. Each ethernet device has a universally unique burned-in address. It gladly shoots frames with this address out to the network as it attempts to get a dynamic address, or in response to another machine's request. Arpwatch just sits there and listens for new devices, and creates a log entry when there is a new one.

To me it just stands to reason that a security conscious company would be interested in what mac addresses have been seen on the network, when they were first seen, what VLANs they've been on... especially when it is so simple. If you ask a branch office or campus LAN administrator what new mac addresses have shown up on the network TODAY, they simply cannot tell you.

So I thought it'd be a great idea to just set up a linux box with a trunk port to the corporate switches. This would be able to sniff for every ARP on the network and keep an inventory of hardware addresses. Since syslogs are a little lame, I made a database where this information was stored. You could run reports like "show me all devices that first appeared on the network on either VLAN 50 or VLAN 60 between October 10th and 16th which had 3Com network cards". I also created scripts to use snmp to grab the dynamic cam table from Cisco switches. The idea here is to be able to tie those hardware addresses back into the cam tables to tell us which port and switch the machine had connected. This seems rather obvious to me, and somewhat simple to implement.

I seem to have trouble not with coding or implementing these things, but with marketing. As certain as I was that this is great information to have, there seemed to be no interest. I've not seen any other tool attempting to do the same thing.

Oh well, another ill-fated script. Here is some code. I don't even know if I have all the pieces to this one. I certainly don't have the database schema.

This one does the parsing and importing of arpwatch logs.
This one does the grabbing of data from switches.

This is really old, so is not exactly "good" but I still think the idea is worthwhile.