[PLUG] Network monitoring, arpwatch, DHCP authorative, ? vlan ?

[Karl M. Hegbloom]

I think that in real life, it's very unlikely that anyone would actually
go through the trouble of setting up a fake server like that.  If you
have security needs to where that's a real possiblity, then I think that
site physical security should be your number one priority.  Check
everyone at the door, use chassis intrusion detection on all
workstations and servers, lock the server room door, and know who's in
the office next door (wiretapping).

If you're that paranoid, what are you doing with those computers
anyway?  Who are you afraid of?

Unless they can control the switch, and can fake the MAC address of the
server, if you ran "arpwatch" on the server, you could get a warning
when a new computer got plugged in on that network.

  http://packages.debian.org/testing/admin/arpwatch.html

I'm not certain, but I think that "arpwatch" will probably also go off
(show an IP change) in case of arp spoofing used to subvert an ethernet
switch to perform snooping on a non-broadcasting switched ethernet. 
That would be a clue that someone is up to something.

Tools like "ntop", "snort", and perhaps "rmon" may also be of value
here, if you set up monitoring and watched for certain types of
anonmalous events.

A way they could fake that out is to use the NIC from one of the
workstations.  That would be difficult if the attacker's fake server is
a laptop, which is the most likely case, I'd think.  It's less difficult
to sneak a laptop in than a server box, for example.

Anybody that could do this would be a VERY sophisticated attacker. 
Wouldn't it be somewhat obvious if there really was somebody doing that
in your office or school lab?

If your terminal server DHCP daemon is supposed to be the only one
running, you should make it authorative.  Perhaps then you would monitor
the network for any stray DHCP response packets, though that will not be
easy given switched ethernet.

What is "vlan", and how does it help improve security here?