Solved

Need an alert when unauthorized device plugs into LAN

Posted on 2014-01-15
6
419 Views
Last Modified: 2014-01-23
Hello Experts - I'm looking for a way to generate an email alert anytime an unauthorized device is plugged into my LAN.  No other action needs to take place, just a simple email letting me know someone has plugged in, preferably along with details including what port and perhaps information about the device.  I'm using a Cisco 4510 switch, a 5510 ASA, and a 2811 gateway.  Thanks in advance for any advice!
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39782862
Since its a small network I would look into arpwatch.  It sees when an IP/mac pair changes or a new one is seen and emails you immediately.  you can then look that mac address up using 'sh mac-address-table' (might be 'sh mac address-table' on your switch) to find the port its connected to
0
 
LVL 1

Author Comment

by:First Last
ID: 39782927
Looks interesting but not quite what I am looking for.  I'd prefer something Windows based and that would only alert me when an unauthorized device was plugged in.  This might provide a little too much information since I'd get an email any time someone moved with a laptop as an example.  Still, if nothing else comes up this could be handy, thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39782938
actually it wouldn't alert just with a laptop moving.  that laptop must get a new IP as well.  arpwatch doesn't care about switch ports, only IP to mac mappings.

so do you only want to be alerted if an "unauthorized" client connects or prefer to block them to begin with?  also, define unauthorized.  most tools are not going to know the difference.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 1

Author Comment

by:First Last
ID: 39782957
Ah, ok, that's better than I thought then.  I don't want to block anyone, just get an email when a device that isn't plugged in now gets plugged in later.  I pictured doing a network scan and collecting a small database of what would constitute authorized devices. Any device connecting to the LAN not already in the database would trigger the alert.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39782968
that would definitely work to.  and the database could easily be a flat file that way (since you're on windows) you could, in your script, use the find command to quickly compare.  then could just put it as a scheduled job that fires off every X minutes to do the comparison and email.  would be a simple batch or powershell script really.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39792377
ARPWatch is good but it will need an interface to be present in each VLAN you want to monitor.

If you only have one VLAN it's not a problem, but ARP doesn't work across routers so you'd need the PC running ARPWatch to have multiple interfaces if you do.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Low ampere 10 112
Cisco Nexus 9372 port channel 3 38
Carbon Black hardware/system requirements 3 42
Windows 7's Backup Utility 12 59
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question