Utilizing Switch Port Link State to Detect Rogue Switches

Abstract

There are many methods to detect rogue wireless access points, but the same case can not be said for rouge switches on a LAN network. Detecting these rogue switches is key to security of any organization. The introduction of a rogue unmanaged network switch has the potential to cripple a network. These types of switches pose a big risk because they are usually plug and play types of devices and can prove difficult to track. A switch becomes rouge when it is connected to a network without proper authorization. Rogue switches are a huge threat to the security and reliability of any network. An attacker could use a rogue switch to launch an attack or spy on network traffic information. Many organizations these days implement a “bring your own device” policy that can prove to be a daunting task to monitor for any network administrator. It is important that these rogue network switches are not introduced to a network, whether by accident or in a malicious attempt. The vulnerability that is introduced could comprise the confidentiality of network messages, degrade network performance, or even allow hackers or authorized users access to critical network infrastructure and data. In this paper we present a method that can help detect these rogue switches by monitoring the ethernet frames across the network and looking at the link state of the network switch ports. We will be using Wireshark, a Windows Computer, and a local switch setup to test methods for detecting a rogue switch. In our scenario we were able to provide some evidence of amethod that could be used in conjuncture with other rules and policies to detect rogue switches connected to a network. We were able to determine based on the port link state that there was another device, most likely a rogue switch between the good switch and the computer.