Tracking the hardware network address of Ethernet devices can be a daunting task for an enterprise network operations group. The ability to track Ethernet (or MAC) addresses can have tremendous value for tracking changes to the network, user activity and access control. This situation can be exacerbated in a dynamic IP address environment.
Over the years I've spoken with many different customers who used scripts and other techniques to crawl switches, sniffers, agents to scour their network to keep their list of MAC addresses up to date. Each of these usually worked well, but the data ended up in only one organization's solution and often, these solutions didn't detect changes in real time.
This blog entry describes the various methods that can be used with a Tenable Unified Security Monitoring solution to collect and track Ethernet address information from scans, network monitoring devices and log analysis tools.
Scanning and Credentialed Audits
Nessus vulnerability scans will discover the Ethernet address of a remote host under the following conditions:
- the host is in the same collision domain as the scanner AND an ARP 'ping' is enabled
- the remote host is Windows AND it can be queried for its MAC address through SMB (plugin #10150)
- the host is being scanned with credentials AND it is a Linux or Windows computer
- Plugin #10551 attempts to enumerate all network interfaces via SNMP
- Plugin #33276 (Enumerate MAC Addresses vis SSH) logs the MAC address from credentialed UNIX scans
It's important to realize in these audits that sometimes a host may have multiple addresses if it is running more than one hardware or virtual interface. Also, for credentialed testing, Nessus only logs the Ethernet address of the primary network interface. Below is a screen shot from a Nessus Client showing the scan results of plugin 10150:
If you run a tool like the Security Center, the MAC addresses obtained by Nessus scans can be used for filtering and asset list creation. For example, you could use the MAC prefix assigned to Cisco devices to automatically create a dynamic asset list of all Cisco devices. Below is a zoomed in screen shot of MAC addresses being displayed under the Security Center:
As you can see, not all IP addresses have had their MAC addresses identified. This could be because the device was in a different VLAN, wasn't scanned with credentials, or was not a Windows, OS X or Linux device. MAC addresses can also be used in a search field so that you can immediately discover the vulnerabilties and configuration of a host with with just its MAC address.
Passive Network Monitoring
The Passive Vulnerability Scanner (PVS) will log the MAC address of any "New Host" that is discovers. This is an excellent way to look for changes in DMZs, server farms and other locations where you don't normally get a new host that often.
Below is a screen shot of some New_Host event logs from the PVS as seen under the Log Correlation Engine:
When reporting a new host, the PVS will log the Ethernet address of the IP packets it sees. If your PVS is deployed on the perimeter of your network, such as if it were monitoring all inbound and outbound traffic, then the MAC address logged will likely be that of your firewall, router or NAT device. Deploying the PVS on the span port of a core switch or router is an effective method for sniffing unique MAC addresses.
If your network generates logs from the use of DHCP, arpwatch, the Passive Vulnerability Scanner and other sources that contain Ethernet addresses, the Log Correlation Engine (LCE) can be used to parse these and generate alerts when new hardware addresses become active. For example, consider the following arpwatch logs:
Jun 23 19:05:45 localhost arpwatch: new station 192.168.20.207 0:c:29:dc:e7:ad
Jun 23 19:05:45 localhost arpwatch: new station 192.168.20.12 0:11:43:fd:73:33
Not only is arpwatch letting us know it found a new host, it has also logged the MAC address.
The new_mac.tasl TASL script for the Log Correlation Engine will automatically track a wide variety of log sources from various Unix, Windows and network devices. When it gets a log, it will extract the MAC address and then compare it to a list of previously discovered MAC addresses and issue an alert if a new one has been found. Below is a screen shot of what this looks like when viewed under the Security Center:
Notice that the original log message is retained and that the vendor prefix of the MAC address has been used to identify the vendor. This can help identify if there was a new VM, a new router or simply a new laptop that has been added to the network.
Tenable has also extended this concept further with automatic recognition of usernames and associating them to their MAC addresses. The user_to_mac.tasl TASL script watches DHCP logs as well as authentication logs to build and associative array of usernames and MAC addresses. We've blogged about this concept in depth previously. The feature is extremely useful to detect changes in a user's behavior, such as logging in from another user's computer or using a new laptop.
For More Information
The following previous blog posts will likely be of interest to readers: