Security's Everyman

Security's Everyman

Wednesday, March 07, 2007

I wish I had better network monitoring tools

You often hear of someone bringing a laptop from home or a wireless access point and connecting it to the corporate network. There are all kinds of security risks surrounding such things. I've even posted several times about an auditor or consultant coming in and just assuming that they can connect their laptop to our network. It's not even that uncommon for an Executive to come to me and ask if the auditor or consultant could connect.

Yesterday a guy asked me if I would be interested in buying a PC that he wanted to get rid of. I told him that I may and asked him for details. It's not much but will make a nice system to add to my home network. I told him that I wanted to look at it an assumed that he would bring it in today or tomorrow. Well today he mentioned it again and so later I went to his cube to look at it. When I got there he had already left for the day but the PC was there. Connected to the network! As I did some investigation I realized that it has been there for quiet some time. I'm not happy.

I know that you are wondering how someone who claims to be a security professional could allow this to go unnoticed for some time. I'd like to be able to say that I found it as soon as it attempted to get an IP address and that I was able to lock it out and keep it off. But I work for a small company that has a limited IT and Security budget. We have to spend what money we have on the necessities and not luxuries. Not to mention that we have added lots of new systems to the network lately and I'm still trying to get a handle on all the information being gathered now. Well, it is off the network now and I will be having a talk with him about this.

Note: I realize that there are several things that could have been done proactively to prevent this from happening. Many of them are things that I have tried to get approved by management, but have been rejected because or small company politics.


vak73 said...


I work for AdventNet and we have a product, OpUtils (set of network tools), that meets your requirement. Though it isn't free, it doesn't cost you much.

This scans your network periodically and list/alert you when any new MAC is detected in the network.

You can download a free evaluation copy from


Tim said...

Hey Andy,
Ok so this isn't the best way, but it might work, just shut down all unused ports on your switches? Or if you are running Cisco, you can enable port security and limit the switch port to only a few mac addresses. Is this time consuming, yes, will it maybe help increase your security and give you a chance to get some budget for other products, maybe. You could also set the switch to notify you of port status change. Obviously, you would only want to do this on the ports that you know are not alwasy in use. Then at least you know something is now connected where it wasn't and you can investigate if you would like.

Andy, ITGuy said...

Tim, That's the kind of stuff that management doesn't want. They want anyone (supposedly only those authorized) to be able to plug in any where. Makes it easier to do their jobs. Of course it also makes it easier to get compromised

LonerVamp said...

Sounds like you might benefit from some small tools that give you alerts. I can think of one off hand, and three other ideas.

1) If you have a spare nix box around (or even windows with cygwin) you could look up a little tool called arpwatch and/or arpalert. These should be set up in a way on your network to notice new MAC addresses and perform some action based on it. Just give it some time to populate a list of "good" MACs or feed it an inventory list, and after that you can at least get a notice when something funny occurs. And as far as I am concerned, if someone puts something unexpected on my network, I have free reign (until I find it) to poke and prod at it until I can determine where it might be and/or who is using it.

2) Limit your subnet as much as possible so that you can do a regular ping sweep. These are not terribly intensive as you just do a ping sweep on your entire IP space. You can sometimes find interesting things that way. This has gotten to be less reliable as more firewalls hide systems these days...

3) Monitor your DHCP tables for anything new. Obviously an attacker does not need to throw out a DHCP request, but I suspect most people will let DHCP do it's job as opposed to guessing an IP on your network.

4) I am not familiar with this method, even though we do use it, but I'm not sure if it ties into our networking gear or not. But you could look into an Active Directory group that will disallow Internet access. I'm not sure how that works. Maybe that is enough to fuel some Googling.

Just some ideas, and you can jimmy up some stuff for no money other than the old hardware and time spent.

cutaway said...

I am not a sysadmin but I think there has to be a way to integrate Cacti and p0f. There is a p0f graphing utility that can be found at p0f Statistics thingies. These wouldn't cost anything other than time setting it up and any hardware you need. Maybe you could by this guys computer for the company.

I know that an active monitoring tool is what you were considering but there are advantages to having a passive monitoring tool as well.

Go forth and do good things,

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.