It would be helpful for UDT to not only change a device from Rogue to Known but also identify which networks that device has been approved. Here is an example:
First define your networks most often they are separated by Vlan or firewall. So for example if we have a Business, Security, and Process the networks might be defined as:
| Network Group | Network Name | IP | Subnet |
|---|---|---|---|
| 0 | Business | 172.19.0.0 | 255.255.0.0 |
| 0 | Business | 192.168.0.0 | 255.255.0.0 |
| 1 | Security | 10.242.0.0 | 255.255.0.0 |
| 2 | Process | 10.252.0.0 | 255.255.0.0 |
| 2 | Process | 10.253.0.0 | 255.255.0.0 |
After the networks have been defined then when you find a Rogue device that needs to be approved as known you would also assign to one or more networks. The key is the MAC address for the devices. It does not change where IP changes or the DNS name might not be available. So for example if you have identified 00:15:5D:14:37:45 as a rogue computer, however, it should be approved to connect to both the business and security networks you would have an entry in the known device table. See Below:
If you have another device identified as 00:05:1E:A6:43:9B (Brocade device) that should be known but only on the Process network you would add it to the known device table. See Below.
Known Device Table
| MAC | Network Group | Alert |
|---|---|---|
| 00:15:5D:14:37:45 | 0 | |
| 00:15:5D:14:37:45 | 2 | |
| 00:05:1E:A6:43:9B | 1 | True |
The Known Device table would allow the Computer to be connected to either the Business or Security networks (Network Group 0 or 1) but would show an alert if the Computer MAC was found on the Process (Network Group 2). The same is true for the Brocade device however with the Alert set a true if the device is found on a non approved network it would also send a notification as defined.
This would allow you to produce reports for known devices on approved networks and alert or send notification any time a devices even if it has been approved is moved to a different network where it could add risk to your environment. An example: Target- Their POS was compromised via the HVAC system. At some point a device was connected to that network that was not approved and in turn that allows the POS network to be hacked.
With this change we would be able to track as both Known and Network Approved and as many of us have other networks that while we may not be directly responsible for the devices we need to ensure that ALL devices the remain active are on the approved network for which the device is known.
Thanks for your consideration.
P.S. the reverse could be done where you have a blacklist where you find a device (Home computer) on your network but you want to be notified if it plugs into your network after you have removed it in the past.
Top Comments