Problem solve Get help with specific problems with your technologies, process and projects.

Steps for investigating potential switch compromise

Hi Luis,
I found that one of my switches (Procurve4000) - using Network Inspector from Fluke Networking - had very high utilization - more than 80% on 1 GB link, at the same time I realized that that switch belong to some "fake" IPX address and plus it lost all passwords. Was the switched compromised?
Dear Jeff:
Sorry to hear about your password lost on HP Procurve 4000 switch. I noticed that the switch supports IPX packets, so it is most likely an internal (private) switch, unless it was configured with an IP address and connected to the Internet (to support your perimeter router or firewall.) If the latter is the case, then your switch was probably compromised from outside; if the former is true, then you have more security issues to worry about than the compromise of a single switch. In other words, you have some investigating to do, and depending on your role, you may want to propose the following actions or take the necessary steps:

(Keep in mind that there may be password dependencies.)

  • Identify who had knowledge of the switch passwords or access to your password list(s), without pointing your finger.
  • Plan to change the admin & supervisor passwords across your network - especially if you haven't changed your passwords in a while ? and limit password distribution to two network administrators only.
  • Closely monitor physical and remote access to your switch in question; e.g., check port activity, ARP table, and traffic load.
  • Check your firewall, router, server, VPN server, dial-up server, and switch logs regularly for unusual probes to your network; begin with the valid IP address of your switches.
  • Apply any necessary firmware patch/updates or hotfixes.
  • Lock your NetWare file server console using LOAD MONITOR (for 4.x) or run SCRSAVER.NLM (for 5.x).

It is also possible that someone in your group inadvertently reset the switch configuration and attempted to rebuild it, or that a faulty network card is the source of your high utilization, or that there is a bug with that particular switch. In either case, you'll want to contact HP to find out about the "fake" IPX address and explore some scenarios with them. You'll also want to contact Fluke Electronics and report this incident.

I hope this provided the information you were seeking, and that you find your first weak link in your network.
Take care,

This was last published in August 2002

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.