EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: Delta on November 21, 2017, 02:30:02 am
-
At work all access to the office network is very tightly controlled by the I.T. dept. Each interface on a switch (each physical port) will only allow one specific MAC address to connect. (I tried swapping the cables over for my and colleague's PC to tidy things up, the switch wouldn't let either PC connect, as they were in the "wrong" ports, that's how micromanaged things are!)
If I spoof the MAC address of my desktop PC, then the switch will accept another device, and the network will assign it the same IP address as it assigns the desktop PC.
I have to do this every time I need to connect the Toughbook to the internet, and of course whilst doing this I can't use the desktop PC.
The desktop PC will connect to anything, not just it's designated switch. (ie I have connected it directly to laptops for testing and stuff)
I would like to do something like my attachment, using a RasPi and a couple of USB-Ethernet dongles. Network throughput (or lack thereof) is not a concern.
As per my crap diagram, let's say the desktop PC has MAC address aa:aa:aa:aa:aa:aa, and is always assigned IP address 11.11.11.11 by DHCP.
eth0 on the RasPi would therefore have to have it's MAC address spoofed to aa:aa..., and will therefore be assigned 11.11.11.11 as the network just thinks it is the desktop PC.
eth2 can have its default MAC address, and a static IP address of 192.168.x.x, we can set the Toughbook up as 192.168.x.y and all will be well.
eth1 however, will have to be given a static IP address of 11.11.11.12, and will see the desktop PC with its MAC address of aa:aa... and must run DHCP to assign it an IP address of 11.11.11.11, this is the same IP address as eth0 is using!
I am not sure if the desktop PC needs to be assigned the exact same IP address as it would get were it connected to the switch normally, but I would be happier if it did.
Is this at all possible, or is it just not possible to have one device talking to something with the same IP address as itself, even though they are on different physical interfaces?
Does this rambling post even make sense?
PS. Asking I.T. to let us connect our bloody field laptop to "their" precious network is an absolute non-starter. Utterly ridiculous, but what to us mere technicians know eh?
-
Sorry, but if it were me, my footprints would be all over their foreheads as I went as far over their heads as needed to make sure I can do my job efficiently. As it is, I am very fortunate to have a stellar IT department, I have received phone calls after hours on their time to see what they can do to help. The IT people do not own "their precious network", the company does and they do answer to bosses.
-
You really really really don't want to head down that road.
Can you enable ICS on the PC?
-
You don't want to be the guy responsible for any kind of breach, even if you can't help it in any way. You make yourself a huge target by doing this.
Besides, you don't want to be on the bad side of the IT department. They can make things very complicated if they want to.
-
They are obviously using port security for a reason. Keep in mind, it may not just be limited to MAC address either. 802.1x authentication allows the infrastructure to verify all kinds of parameters of the client device. For example at work, if the antivirus software or USB encryption is disabled, it won't allow you onto the network.
Have you spoken to your IT department about your issues? Perhaps you can reach some middle-ground without violating your companies IT policies and potentially putting yourself and company at risk.
Yes, it's possible to do what you plan to do, but it's also possible for you to get caught. I know it's not the answer you want to hear, but perhaps if talking to IT directly doesn't work, escalate it up through your manager in writing and make a business case for it. If it's preventing you from working efficiently then there's probably little reason to knock your request back. Yes, it'll probably have to go through various checks and balances to ensure security isn't compromised, but that's part of their job. Having worked for Government for a long time, if I can get local Administrator rights on a network of 100,000+ clients even though I don't work in IT, I don't see this being so difficult to achieve.
-
Having had a proper think about this, and having read the replies, I do now realise that this is a pretty dumb idea.
I will put a case to I.T. for the "business need", as that is clearly the proper way to get this sorted.
-
The simple solution would be to give you a second port for your laptop, provided it's part of their SOE. If it's your own personal laptop, then I can see them saying no pretty quickly (and rightfully so, I would too). I know BYOD (Bring Your Own Device) was marketed as the next best thing a while ago, but it's a terrible idea and a security nightmare.
I work on networks which are highly sensitive and there is no way we would even allow some of our SOE machines (hand-picked and implemented by us) on those networks after they've been connected to the internet (even if it's just for a moment). They all get wiped and re-built before they touch the protected network (which has no access whatsoever to the world outside the floors which occupy our specific department). Not even offline data on flash drive or other media leaves the building (unless very specific protocols are met).
-
Well the IT probably wouldn't be very happy about that Raspberry Pi being there.
There is a easier way of doing this. Just route your network trough the desktop PC. All you need is a 2nd network card and a few clicks in Windows to tell it to share the internet on one network port on the other network port.
If you do need it to work even when the desktop PC is off then you can probably just bring your own router and run all your stuff trough that. The WAN port on a router acts on the network pretty similar to a PC. Tho most cheap home routers probably don't let you change the MAC address of that WAN port (So likely needs one that runs DD-WRT or a more professional grade router).
-
Besides bypassing IT and their security, an RPI is the worst possible device for network gear since the network port is USB based.
Get a small Mikrotik box instead, looks like you just need masquerade.
Else just get a hub and duplicate MAC. (yes, this works, but the switch will notice)
-
If the network is that secured, you're well into the corporate blame game territory. Submit a request for more network drops, and if it's preventing you from working because they are slow, you get to bitch up the chain of command that they are keeping you from working.
Sure you could throw a router on with NAT, your pc in a DMZ, and if you get it to trick port authentication, then you have 2-3 unsecured ports sitting there waiting for any dilbert to screw stuff up for you. I've seen an entire floor get taken down when someone plugged a router in to use as a switch. DHCP wasn't disabled, power went out, and when it came back and the router booted up first, before other switches, and became the DHCP server for the floor.
IT was "wait what?" When someone read off their IP over the phone as a 192.168.0.x address, and someone got sent out.
Play the blame game "I'm trying to comply but it's still causing problems"
-
Yes, be the guy blaming, rather than the guy being blamed. If you do it without IT consent, rather than changing their strict ways, you give them a reason to be strict and kick your behind for it. If you're unlucky they need an example. You don't want to be the example.
-
Yes, be the guy blaming, rather than the guy being blamed. If you do it without IT consent, rather than changing their strict ways, you give them a reason to be strict and kick your behind for it. If you're unlucky they need an example. You don't want to be the example.
Correct. The reasons these types of policies exist in corporate environments is because some gumby has had a crack at doing things themselves in the past. If you expose a loophole in IT security, they'll just turn the screws tighter and you'll be watched closely.
-
I have had many years in corporate IT financial systems - and the one comfort I have always appreciated is the lack of access I have had to many systems - even some elements of the systems I worked with.
If I don't have access, I can't be blamed if something goes wrong.
Having access to everything is not a badge of honour - it's a target.
-
I have had many years in corporate IT financial systems - and the one comfort I have always appreciated is the lack of access I have had to many systems - even some elements of the systems I worked with.
If I don't have access, I can't be blamed if something goes wrong.
Having access to everything is not a badge of honour - it's a target.
I consider it a very quick but comprehensive test to establish what people are made of, in IT, law enforcement and elsewhere. Do they continually want more privileges or access than they have, or do they strive to minimize their own access, and to uphold the boundaries, to protect the greater good?
That not even from a blame game perspective, though that certainly plays a role too. A simple example would be people sharing physical keys, access codes or account credentials with you. I don't want to know, and expect you to take appropriate action if you know I know. I'm not taking taking on your responsibilities too.
-
You have drawn my point out with other aspects that I also appreciate.
My post was meant to be quite stark, so as to highlight one key factor that anyone could "get".
Appreciation for "the greater good" is nowhere near as evocative as self-preservation.