You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
access to the backbone. This is traditionally<br />
something that the network fo lks aren't really<br />
keen on. Right now, their main worry is off-site<br />
hackers since they tend to have the local ma<br />
chines locked down. Off-site links are a lot easier<br />
to deal with since you can drop a filter on a Tl<br />
with no real speed hit. 10MB and above can<br />
cause a serious loss of throughput, although<br />
some newer flow-based algorithms can reduce<br />
that a lot. With RESNET, they now have a bunch<br />
of unknown kids with root access to their (own,<br />
local) machine on a LAN who know all about<br />
their security by obscurity. That is usually a<br />
pretty big mental shift for them and they don't<br />
want to consider (budget I) costly consequences<br />
until someone holds a gun to their head. If the<br />
RESNET hacker docsn '( become the squeaky<br />
wheel then they can get away with a lot.<br />
Unlike slow WAN situations, high-speed<br />
LAN access can cause some problems for secu<br />
rity. Any firewall or other bottleneck is going to<br />
stick out like a sore thumb when you have 500+<br />
switched- I 0 connections trying to go through it.<br />
If you get a high-performance firewall or a lot of<br />
low-performance firewalls working in tandem,<br />
you're going to add cost which the housing fo lks<br />
aren 't going to like. The network fo lks will have<br />
wanted to keep their options open, but they're<br />
probably not going to have a filter in place when<br />
people start hyping about all the cool things<br />
they're doing for the students. Bandwidth, much<br />
like disk space, tends to get filled to capacity<br />
very quickly. If they don't put a firewall in place<br />
quickly, people aren't going to want it for the<br />
added expense or the bottleneck.<br />
You may think these non-decisions are obvi<br />
ous, but paper-pushers are a different breed, es<br />
pecially when their money is involved. They<br />
seem perfectly happy to bc reactive and fix a<br />
problem alter they get hit. Up-front cost is every<br />
thing, and long-term savings don 't mean a whole<br />
lot when you're living year-to-year on a budget.<br />
The obvious analogy of standing on the train<br />
track and getting offbeforc or after the train goes<br />
by is totally lost on them.<br />
What tools do they have to track you down?<br />
Potentially lots. It really depends on the hard<br />
ware they're using, their competence, and the<br />
tools they have available to them. The easiest bit<br />
of information they'll have is your IP address,<br />
since anyone who noticed will log that these<br />
days. If it is on the other side of a router, your<br />
MAC will be unavailable. If you registered with<br />
DHCP, they'll quickly track you down and turn<br />
off your port. They may be able to blacklist your<br />
NIC so you can't use it in any port. That would<br />
be inconvenient.<br />
Depending on their router setup, they'll typi<br />
cally know what network segment you're on<br />
(host routes and source routes don't work too<br />
well in the modern LAN, but you never know). In<br />
your average RESNET, those tend to start out big<br />
(a building) and narrow down as required. If you<br />
haven 't left a permanent record (registered) or<br />
they're not strict about what MACs are used on<br />
any given port, they pretty much have to catch<br />
you real-time by looking at ARP entries on the<br />
nearest router and bridging tables on the switches<br />
(to find out what port a MAC address is behind).<br />
One of the security options some switches<br />
have is the ability to lock a port to one MAC ad<br />
dress. If you're hacking with a fixed MAC on a<br />
locked port, the hunt is going to be pretty short.<br />
In your favor are convenience (public access ar<br />
eas, that they can't lock to one MAC) and lazi<br />
ness (if they have to unlock a port every time it<br />
locks, some human is going to be bored out of<br />
their mind). A few late night calls saying your<br />
port got locked for no good reason might con<br />
vince an RA that it is more trouble than it is<br />
worth.<br />
Routers are a small problem since they are<br />
passive learners and will hold onto ARP ad<br />
dresses long after they're out of use (10+ min<br />
utes). Switches are a little easier since they tend<br />
to clear their MAC tables when the port loses<br />
link. Do the dirty deed and drop the link. They're<br />
going to have a hard time finding out what port<br />
the MAC was behind.<br />
Some SNMP-ready switches can send a<br />
'TRAP" to an SNMP management station when<br />
a port comes up and down. This is usually dis<br />
abled by default since it generates a lot of traffic<br />
and notifications managers normally don't care<br />
about. Some of the clever RESNET sites look<br />
fo r the link-up TRAP and then start probing for<br />
MAC addresses periodically on that port. This<br />
is a pretty good proactive way of doing it. The<br />
ways they might probe are pretty custom since<br />
it usually requires someone fairly competent to<br />
set it up, so a little inside knowledge will work<br />
wonders. I f they only probe once at some inter<br />
val after the link comes up, you only have to<br />
wait it out and then send your traffic. If they<br />
Page 28 2600 Magazine Fall 1998