Awareness – Authorized/Unauthorized Systems

In recognition of October being Security Awareness Month, here is an article about SANS first control, Discovering Authorized/Unauthroized Systems.

It boils down to this.  If you don’t know what is supposed to be on your network, how can you tell when something is that shouldn’t be?  A good IT team will have an up to date list of the servers, switches, routers, firewalls, wireless access points and printers that are connected to the network.  The list should include IP address, MAC address, brand, model, and configuration characteristics.  The list should also indicate where on the network and physically each device is located.  This could be VLAN, subnet, or other zoning information, as well as tower, floor, and section.  This list will aid in locating equipment during service calls, and will also serve as a benchmark for identifying unexpected devices.

A REAL good IT team will have the same list, but include every single workstation on the network, and add details about the Operating System, version and patch levels, as well as any software installed on the device.  This intelligence will aid in locating rogue workstations, and changes to installed and unpatched software components.  Top IT teams will link all of the devices in their lists by their dependency upon one another and their relationships, building a CMDB.

How can you create these lists?  There are a number of ways to do this.  Any modern “ping-sweeper” like those provided by Sunbelt Software would be able to generate this list.  I used to love using Fluke Network Inspector software before I got a Fluke LANmeter to fully automate the discovery process.  Either one would inventory the network, interrogate each device, and provide a detailed list of the required information.  The LANmeter did it in a much more controlled fashion and less impact on the network.  It also performed a myriad of tests to identify configuration issues and diagnose potential problems before they became service calls.  Any product, including free ones like nMap can do the inventory trick.  Many asset management tools will have inventory capabilities, some patching tools have the capability and some of the AV solutions will now detect “unknown” devices on the network.  The hard part is keeping the list up to date, which will eventually mean “live in real time”.

For real time, you need to be able to control what gets plugged in.  This is done using NAC, Network Access Control technology.  Bascially, if the MAC address and potentially some other factor (ID, password, token, etc) is not recognized, the PC is not given full access.  HP Openview provides a console with PC health and status indicators, however it is best suited to server monitoring.

Remember, the bottom line is to know your network and be able to identify changes and additions to your environment before an unauthorized or rogue device can steal customer or other valuable data.