Q

Steps for investigating potential switch compromise

Hi Luis, I found that one of my switches (Procurve4000) - using Network Inspector from Fluke Networking - had very high utilization - more than 80% on 1 GB link, at the same time I realized that that switch belong to some "fake" IPX address and plus it lost all passwords. Was the switched compromised? Dear Jeff: Sorry to hear about your password lost on HP Procurve 4000 switch. I noticed that the switch supports IPX packets, so it is...

most likely an internal (private) switch, unless it was configured with an IP address and connected to the Internet (to support your perimeter router or firewall.) If the latter is the case, then your switch was probably compromised from outside; if the former is true, then you have more security issues to worry about than the compromise of a single switch. In other words, you have some investigating to do, and depending on your role, you may want to propose the following actions or take the necessary steps:

(Keep in mind that there may be password dependencies.)

  • Identify who had knowledge of the switch passwords or access to your password list(s), without pointing your finger.
  • Plan to change the admin & supervisor passwords across your network - especially if you haven't changed your passwords in a while ? and limit password distribution to two network administrators only.
  • Closely monitor physical and remote access to your switch in question; e.g., check port activity, ARP table, and traffic load.
  • Check your firewall, router, server, VPN server, dial-up server, and switch logs regularly for unusual probes to your network; begin with the valid IP address of your switches.
  • Apply any necessary firmware patch/updates or hotfixes.
  • Lock your NetWare file server console using LOAD MONITOR (for 4.x) or run SCRSAVER.NLM (for 5.x).

It is also possible that someone in your group inadvertently reset the switch configuration and attempted to rebuild it, or that a faulty network card is the source of your high utilization, or that there is a bug with that particular switch. In either case, you'll want to contact HP to find out about the "fake" IPX address and explore some scenarios with them. You'll also want to contact Fluke Electronics and report this incident.

I hope this provided the information you were seeking, and that you find your first weak link in your network.
Take care,
Luis

This was first published in August 2002
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close