Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Critical Control 1 - Inventory of Authorized and Unauthorized Devices - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Control 1 - Inventory of Authorized and Unauthorized Devices

Control 1

How many servers are in your DMZ?
How many Servers do you have in total?
How many workstations are connected to the network?
How many printers?
Switches/switches/routers/firewalls/Access Points?

If you can answer all the questions above for your organisation accurately, well done. Unfortunately the reality is that many people will not be able to answer them at all.  

Knowing what you have in your environment is critical to the security of the environment. We know that many attackers use automated processes to identify and attack machines on the internet.  If you are not aware of what internet facing systems you have, or they are not controlled, then it is likely that they will be discovered and compromised quickly.  So it is quite important to know what is actually there.

How can you achieve that? you need to be able to control what is plugged in.  Failing that, you will need to know when something has been plugged in.  802.1x controls or other forms of Network Access Control will help you achieve the first, but this may not be suitable for all areas of your environment, or you may not get around to implementing it for a while.

Detecting what is plugged in can be achieved in a number of ways.  Tools like arpwatch will detect when something is plugged in.  You could scan the network segment on a regular basis using something like nmap and use ndiff to compare the results.  This will let you know when something is connected to your network.   You my be able to watch DHCP allocations and detect or prevent unauthorised allocations.  In order for it to be effective you will need some sort of inventory, if you don't know what you have, then you will not know what should or should not be there.  Document the operating systems in use, the types of hardware used, switch types, printer types etc.  

There are of course other tools that will help in this scenario. Many management tools will have inventory capabilities, some patching tools have the capability and some of the AV solutions will now detect "unknown" devices on the network.  

What do you do to identify and control what is on your network?

Mark - Shearwater

Mark

391 Posts
ISC Handler
It's a bit ad-hoc at the moment!

We use OCS Inventory NG for both it's inventory and deployment functionality. Two machines in every subnet are automatically designated to run "IPDiscover" and routinely scan their subnets. All "uninventoried" devices appear on a report that is checked "fairly" regularly, but there is no automatic alerting. We also keep a list of MAC addresses for all wireless devices permitted to connect to our network and use MAC whitelists on the access points.

Opening the "Microsoft Windows Network" page also shows up any new workgroups that don't match our own.

Finally, I often use "Angry IP Scanner" to search for devices that have a connectivity problem - and I normally keep an eye out for extra devices. Our network is just small enough that I know what should be there - and what shouldn't!

We use Sophos which has NAC and USB device control - neither of which we have got around to implementing yet!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!