Comprehensive user manual for CySight Standard and Enterprise Editions.

MAC Address: Analytics and OUI Mapping (BYOD tracking)

"... A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment.

MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model.

MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address (BIA). It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.

A network node may have multiple NICs and each NIC must have a unique MAC address. ..."

The benefit in using MAC addressing in business today for Bring Your Own Device (BYOD) management cannot be under-rated.

CySight includes a comprehensive correlation engine that will identify the devices Organizational Unique Identifier (OUI). The OUI is the first 24 bits of a MAC address for a network-connected device, which indicate the specific vendor for that device.

MAC address analytics has had some negative issues with it relating to tracking in Malls or Retail shops and some vendors such as Apple have planned to include a dynamically changing random MAC address using IOS 8.

The ability to use MAC addressing to enhance security has been used successfully in WiFi routers enabling the locking of a MAC address to a router requiring both WiFi authentication and WPA2 authentication. Dynamic MAC addressing will create a headache for hotels, home users, small offices who are often left with no choice but to lock down their networks to known devices such as when using WiFi Protected Setup (WPS) to bridge WiFi routers.

Dynamic MAC addressing may provide some comfort to privacy pundits however the reality is that tracking will still continue in another form whether by AppleID or by IPv6 or the multitude of applets that can and will expand their provision of a mobile users details and geolocation analytics back to big data systems.
There is a time delay to show the MAC address information the first time it is included in the flow template for a Device. The MAC Address will begin displaying from the start of the next hour.

The display by and criteria fields in the Custom Filter screens will display after any device is found to include the MAC address as one of the fields in the flow template.
The CySight MAC address left menu options. The MAC Address left menu options will begin displaying from the start of the next hour from the introduction of MAC address as a flow field.


MAC Address is also used with Cisco WLC to identify both Station ID's and Device ID's.


The Right click menu will also include the MAC address default menu's




MAC Addresses can be used in the same way as any other data in CySight and can be included into Criteria. MAC Addresses can appear in the Display of Forensics or as part of Alerts criteria or have Counts applied to it .

CySight's analysis of devices such as Cisco WLC employ the use of XY Analytics to provide cross sectional analysis e.g find all IP Addresses that have been used by a specified MAC address over the last month.



References

https://en.wikipedia.org/wiki/MAC_address
https://www.cisco.com/en/US/docs/net_mgm ... #wp1017547
https://en.m.wikipedia.org/wiki/MAC_Table
https://www.techtimes.com/articles/8233/ ... keters.htm
https://hal.archives-ouvertes.fr/file/i ... alking.pdf

cron