MAC Address Tracking

TrackingThe FireRack FMS can track the movement of computers around a network by tracking the movements of their MAC addresses.

This feature is useful on any network where either users are very mobile, or where MAC and IP address spoofing is a problem.

When this feature is combined with FireRack's MAC-IP registration database, it becomes possible to track IP addresses (and individual users) down to individual switch ports. The overall objective in doing this is to prevent identity theft on the network and ensure that users can be held accountable for their action on the network.

How it works

The FireRack FMS Switch Management Module is responsible for managing the switches on the network. It does this using the SNMP protocol, and it currently supports 3Com, Cisco, Allied Telesyn and Dynamode switches. With MAC Address tracking enabled, it will periodically connect to each switch (or managed hub) on the network and harvest lists of MAC addresses that have been seen on each of the ports.

This information is written to the database on the FMS.

Why it is useful

Network administrators can query this database to discover:

  1. A history of the movements of a given MAC Address
  2. The history of all MAC Addresses seen on a given switch port

This data can be held for weeks, months or years depending on the size of the network and the policies laid down by the network administrator.

FireRack's worm containment system can make use of the data harvested by the MAC address tracking system to isolate infected machines from the rest of the network. In the event that worm infection is detected on a machine, the FMS can rapidly identify the switch port that that host is on and disable, or reconfigure that port.

Real-time MAC Address tracing

In addition to the systematic polling of switches described above, the FMS can also rapidly trace the path to a MAC in real-time.

This is most useful when you need to find the switch port for a known MAC, seconds after it has been connected to the network. The FMS API allows 3rd party applications to query the location of a known MAC, which triggers real-time MAC tracing.

This system is used by the FireRack worm containment system to locate and quarantine infected machines on the network.

Switches and hubs that are supported

Currently managed switches and hubs from the following vendors are supported:

  • Cisco
  • HP/3Com
  • Netgear
  • Allied Telesyn
  • Dynamode

Just about any managed switch that supports industry standard will work with our MAC Address tracking system. Please contact us for information about supporting additional switches.

 

See also