Poor man's port scan blocker

suelange · ‎03-29-2013

working with cisco IOS on 3750's at the access level, Nexus 7K's at the core.

I need to find a cheap but relatively harmless way to block port scans. We have not typically had to do this, most people on the internal network behave themselves. But we have a programmer bent on proving she's an "ethical hacker" and frankly I haven't got time for this nonsense.

I would just shut down her physical port but she runs these 'tools' from a vm-server and there are other hosts running on the same physical NIC so I can't just shut off that port.

I was looking into CBAC but I need to be very careful how I craft the ACL so as not to cause legitimate traffic to cease. That would be an RPE. Has anyone seen a detailed write up on how to proceed? The training I took just sort of 'touched' on it...kind of like "here's this other feature" but didn't really delve deeply into specifics. I did a search on google and was overwhelmed. The first couple of articles I located, probably just by cooincidence, were written for folks already steeped in the spy vs. spy world and so were way over my KB threshold. As I said, I can't afford to make a mistake here.

Anyone have some tips on where I can get started on this? Thanks so much in advance.

hobbe · ‎03-30-2013

Hi

Well there are several ways you can handle this.

but lets first make it the way it is supposed to be handled.

1) is she breaking any IT policy ? If yes then let HR deal with the offending programmer, just make sure that they have enough proof to swat the offender hard.

If the answer is no, no policy of the company is broken then frankly I doubt that it is your responsibility to fix the problem, wich in this case is that the IT policy is lagging behind what is desireable.

Lets ignore the above part and check on what you asked for.

First of all since the machine is a vm machine in an esx host you will have problems to halt traffic simply because not all traffic does leave the ESX host.

So what can you do ? Is the ip address static or dynamic ?

If it is a static ip address then you can easily write an ACL that allows what she is supposed to be able to do from that machine and then block the rest from that particular machine and then allow everything else.

Since you did not have an ACL from the beginning this should only impact her ability to scan.

If the 3750 software is quite new you can setup an ACL with a connection to an EEM and TCL script that IF she starts to scan you can block her address via adding a new acl or the switch sends you an email or anything you can imagine inbetween.

If the ipadress is DHCP then you can either choose to lock it down to a specific address in the dhcp scope or you can setup something that lets you know what it is and sets a scripted acl.

So what other things can you do ?

You could set a MAC address access-list and shut down the Mac address passing through the switch.

You can do alot of other things like poisoning the arp address table of the machine, and make things not work the way she wants it. duplicate ip addresses and mac addresses or maybe duplicate windows name.

But that sort of thing can backfire and to be honest, that does not sound like the doings of a person who are in charge of the network and so on..

I would go for the first alternative ie make sure that what she is doing is not ok according to policys, let her know that it is not ok and if she persists in her doings turn her over to the HR department.

Good luck

Collin Clark · ‎04-01-2013

One option is to only allow 1 MAC address on the switchport. You can statically allow her workstation MAC and the VM and any other MAC's will be blocked.

suelange · ‎04-01-2013

These are both good answers and hobbe you raise some valid points. We are pretty siloed here but in spite of that roles are not really well defined. Theoretically this should not fall into this person's purvue but that doesnt' mean it is against policy. I need to look into that some more.

Meanwhile the methods discussed in both solutions are valuable for learning even if I don't get to deploy. Off to read and study now! Thanks for the direction.