Making Internal Spoofing Harder with OS Detection

I recently wrote down a couple of snippets on Limiting Administration by OS, since putting those to er… paper another thought crossed my mind.

Some of the worst internal incidents I’ve been involved in were those where the attacker either rebooted into a live Linux CD or had a second hard drive that was mostly left unwired. This made tracking and auditing his actions extremely difficult due to the nature of his attack platform.

While tools like arpwatch look for the more obvious changes of MAC addresses using something like P0F or a PF based firewall it’d be possible to look for operating system changes on the network in cases where the MAC address isn’t changed, and if it is changed the firewall can block and flag the unknown address. After all if a MAC tied to a Windows machine suddenly changes to a FreeBSD box for example it certainly warrants investigation.