This article was originally published in TechRepublic's Security Solutions e-newsletter.
Are you absolutely sure you know all the protocols and ports that are open on your network? If you're not the only person with the rights and permissions necessary to add devices to your network, you'll never know what's really "live and on the wire"—unless you listen to your network. By periodically scanning your network, you'll be able to maintain a good view of what devices are connected to it and to determine whether those devices are communicating properly and using the allowed ports and protocols.
Depending upon the OS on your administrator's workstation, you could start by using scanning tools such as fping or SuperScan, which allow you to quickly scan a range of IP addresses to detect live network connections. This is one way to determine if someone is adding devices to the network without your knowledge and/or approval.
However, some devices (e.g., wireless devices) will need a different tool for discovery. If you're looking for rogue wireless access points (WAPs), you can use tools such as Kismet or NetStumbler. Finding an unauthorized WAP behind your security perimeter is bad news, but not finding one that's tapped into your network is even worse.
Ideally, you shouldn't find any surprises in your network scan results. If you do, though, take these steps.
Immediately block the IP address of the WAP device at the switch where it's connected. This should provide you with enough time to find the physical device while the user is trying to discover what happened to his or her wireless network connection.
If you find unknown non-wireless devices—such as printers, departmental FTP/Web servers, etc.—conduct an in-depth scan and determine exactly what the device's function is. Block the device from the network until you can physically locate it and disconnect it.
For a more thorough examination of the rogue device, you can use Ettercap or Winfingerprint. Both utilities do an excellent job of decoding the type of OS that's running on a remote device, which should help you discover the device's original purpose. These utilities also show what services are running and what ports are listening for connections.
As administrators, it's our job to ensure that only authorized and secured devices operate on the network. Besides the obvious security reasons, there are performance gains to turning off unnecessary network protocols. Turning off unnecessary protocols helps reduce network chatter and increases bandwidth utilization.
I've mentioned a lot of network tools in this article, all of which are free. If you use these tools to listen to your network and map every IP address, you might be surprised by what you find.