Ubiquiti AP Guest mode

scottalanmiller

@Breffni-Potter said:

IP scanner shows all the devices on the network when on guest SSID.

I'd not call that "seeing" them. Getting a list of them from the ARP table, which is what we were discussing here, isn't the same as seeing the device itself. I might see a list of names of people, but it doesn't mean I can see the people themselves. Unless you can interact with the device, that's not considered "seeing" the device in a networking sense.

Dashrender

@scottalanmiller said:

@Breffni-Potter said:

IP scanner shows all the devices on the network when on guest SSID.

I'd not call that "seeing" them. Getting a list of them from the ARP table, which is what we were discussing here, isn't the same as seeing the device itself. I might see a list of names of people, but it doesn't mean I can see the people themselves. Unless you can interact with the device, that's not considered "seeing" the device in a networking sense.

Exactly - the ability for an IP scanner to list all of the IPs and MAC addresses of other devices on the corporate network is why this thread exists and brings about my question - Is the fact that Guest network computer can pull an ARP listing considered an acceptable thing? and Why or Why Not?

I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?

scottalanmiller

@Dashrender said:

Exactly - the ability for an IP scanner to list all of the IPs and MAC addresses of other devices on the corporate network is why this thread exists and brings about my question - Is the fact that Guest network computer can pull an ARP listing considered an acceptable thing? and Why or Why Not?

Depends. In any normal environment, lacking IP access is enough to not have any concerns. Getting a listing alone is not at all a threat.

See if it can only see the ARP listing or if Ethernet connections is possible.

scottalanmiller

@Dashrender said:

I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?

ARP Poisoning?

No need to go that far to test, you should be able to find or write a utility that would attempt direct Ethernet communications to see if there is a concern. Or just use Wireshark to see.

Dashrender

@scottalanmiller said:

@Dashrender said:

I confirmed that I am not able to ping any of those addresses while on the Guest network, nor can I seem to access (ping) addresses on the other side of my Site to Site VPN. I consider this a great step forward, but access to that MAC table makes me Leary. If ARP positioning could happen, would I be able to get access to that network?

ARP Poisoning?

No need to go that far to test, you should be able to find or write a utility that would attempt direct Ethernet communications to see if there is a concern. Or just use Wireshark to see.

OK I'll put a pin in this until tomorrow then. and start searching for how to do that.

Dashrender

Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.

http://networkengineering.stackexchange.com/questions/2900/using-snmp-to-retrieve-the-arp-and-mac-address-tables-from-a-switch

scottalanmiller

@Dashrender said:

Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.

http://networkengineering.stackexchange.com/questions/2900/using-snmp-to-retrieve-the-arp-and-mac-address-tables-from-a-switch

So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.

Dashrender

@scottalanmiller said:

@Dashrender said:

Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.

http://networkengineering.stackexchange.com/questions/2900/using-snmp-to-retrieve-the-arp-and-mac-address-tables-from-a-switch

So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.

I wasn't accusing anyone of anything - only sharing that I found a way to get the information. Though short of this, I'm still not sure how Advanced IP scanner could get this information.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Interesting - OK so you can use SNMP to pull the ARP table from a switch. I found this page that had several good commands on it for polling information from SNMP.

http://networkengineering.stackexchange.com/questions/2900/using-snmp-to-retrieve-the-arp-and-mac-address-tables-from-a-switch

So it doesn't mean that that is what happened, but it does show that we have no reason yet to question the fencing of the Unifi.

I wasn't accusing anyone of anything - only sharing that I found a way to get the information. Though short of this, I'm still not sure how Advanced IP scanner could get this information.

Wouldn't ARP Probe do that?

scottalanmiller

The AngryIP docs mention using ARP fetching.

scottalanmiller

Tryin arping it.

http://www.netscantools.com/nstpro_arpping.html