Tech Tip: Listen for alien devices on your network

By Mike Mullins

Are you absolutely positive you know all the protocols and ports that are open on your network? If you're not the only person with the rights and permissions necessary to add devices to your network, you'll never know what's really "live and on the wire"—unless you listen to your network. By periodically scanning your network, you'll be able to maintain a good view of what devices are connected to it, and determine whether those devices are communicating properly and using the allowed ports and protocols.

Start scanning

Depending upon the OS on your admin workstation, you could start by using tools, such as fping or SuperScan, that allow you to quickly scan a range of IP addresses to detect live network connections. This is one way to determine if someone's adding devices to the network without your knowledge and/or approval.

However, some devices (e.g., wireless devices) will need a different tool for discovery. If you're looking for alien wireless access points (WAPs), you can use tools such as Kismet or Network Stumbler. Finding an unauthorized WAP behind your security perimeter is bad news, but not finding one that's tapped into your network is even worse.

Take action

Ideally, you shouldn't find any surprises in your network scan results. If you do, though, take these steps.

Rogue WAPs
Immediately block the IP address of the WAP device at the switch where it's connected. This should provide you with enough time to find the physical device while the user is trying to discover what happened to his or her network connection.

Nonwireless devices
If you find unknown nonwireless devices, such as printers, departmental FTP/Web servers, etc., conduct an in-depth scan, determine exactly what the device's function is, and block it from the network until you can physically locate it and disconnect it.

For a more thorough examination of the rogue device, you can use Ettercap or Winfingerprint. Both utilities do an excellent job of decoding the type of OS that's running on a remote device, which should help you discover the device's original purpose. These utilities also show what services are running and what ports are listening for connections.

Final thoughts

As security administrators, it's our job to ensure that only authorized and secured devices operate on the network. Besides the obvious security reasons, there are performance gains to turning off unnecessary network protocols. Turning off unnecessary protocols helps reduce network chatter and increases bandwidth availability.

I've mentioned a lot of network tools in this week's column, all of which are free. Listen to your network and map every IP address. You might be surprised by what you find.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox