|
Posted by Will on March 9, 2008, 12:06 am
Please log in for more thread options > There are no applications doing exactly that because generally there's no
> way to tell what hosts are authorised during network mapping. However with
You would need to feed your expected network to the tool so that it could
detect exceptions. I wasn't expecting magic.
> some finetuning most network-based intrusion detection systems like snort
> (www.snort.org) will do. It's quite easy to create a rule that will alert
> on traffic from unknown origin. But for any sizeable network creating a
> traffic aggregation point is not easy, and the rule will become very
> complicated and possibly slow to process. Maintaining database of known
> IPs and MAC addresses is administrative hell as I see it.
I agree there are administrative challenges in maintaining such a tool.
> So the common approach is endpoint security: require authentication for
> accessing the network. All enterprise wireless LANs use that, and wired
> solutions are proliferating. Microsoft helps a lot with NAP
> (www.microsoft.com/nap). Also not bulletproof approach but allows to
> achieve your objectives.
Of course we require authentication to access the network. But that
doesn't help a whole lot when a contractor decides he wants to turn one of
your PCs into a public unfirewalled Internet gateway, a feat that is trivial
to accomplish these days with wireless Internet over 3G. I've also had
cases where people put their home notebooks on the network, and then
configure the notebook as a file server and started copying files there.
Bad actors often have good credentials. All of your worst security risks
usually come from inside, from people you are supposed to trust,
unfortunately.
> One other suggestion is to use a honeypot - put a host out there that is
> not supposed to receive any connections at all. Any ping to the host will
> trigger an alert.
I have been looking for a decent commercial Honeypot that runs on Windows or
as a VMWare virtual machine for ages. I haven't found anything that
wouldn't require about two weeks of intensive study to make work. If you
know of some good ones that won't require a lot of setup work please let me
know.
--
Will
>> Does any vendor make an application that passively listens to all
>> ethernet
>> segments on a computer, and then notifies the administrator if any
>> unauthorized IP or ethernet Mac address shows up on any segment? You
>> would
>> obviously need to feed into such an application the IPs and Mac addresses
>> that are authorized for your network. But when a contractor shows up or
>> someone plugs in a new computer, the administrator would know about it
>> the
>> instant it happens.
>>
>> --
>> Will
| 
XML Sitemap