mliu@polyslo.CalPoly.EDU (Mei-Ling L. Liu) (12/07/88)
*** Detecting Unauthorize Connections on Your Network ***
*** Summary of Responses ***
I want to thank all who responded to the following message I
posted last month: --
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I am anxious to hear from people who have looked into or have
implemented tools to detect unauthorized connections on their net-
works.
...
If you know of any software/hardware tool for what I need, please
respond. Thanks.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
A summary of the responses follows:
1. Use a TDR (Time Domain Reflectrometry) to locate unauthorized
taps, which requires shutting down a segment of the LAN at a time.
2. Perform an annual cable audit to verify each connected machine.
3. Maintain a list of valid ethernet addresses, then run an
analyzer occasionally to spot check the ethernet addresses con-
tained in packets on the network.
4. Run network software that records the addresses observed in
packets that go through the network, and check that against them
list of registered addresses.
5. DEC sells an Ethernet Enhanced-Security System that will allow
you to, among other things: verify the Ethernet addresses used by
individual nodes, and to prohibit a registered node from talking
to any unregistered node.
6. With TCP/IP, use domain name server service as a leverage to
entice users to register a node.
7. With TCP/IP, an IP router with SNMP or a bridge with ap-
propriate software can be made to send an event report whenever
its ARP table has a new entry made dynamically. The new entry can
then be checked for its validity.
8. Use friendly persuasion: inform users of the policy of new node
registration and keep up a friendly relationship with them.
All of these are good suggestions and should be done here, even if
they are easier said than done. We do have software that can
monitor traffic from bridges and software that can capture packets
going through the network. To do the spot-checking required,
however, would require a lot of processing, considering the large
number of valid addresses that go across our network; but that's
definitely one way to go. Doing an annual cable plant audit is
also a good idea, but it's not likely to get done around here. We
do have an IP router, and checking the new ARP entries does
provide a way of spotting new nodes.
Finally, the Ethernet Enhanced-Security System sold by DEC sounds
like the least painful way to handle the problem: the policy is
built right into the network -- no need for policing. It also
sounds VERY expensive. I will check into that anyway just for my
curiosity.
Again, many thanks to all who responded.
******************************************************************
Mei-Ling L. Liu
Network Administration Coordinator
Internet: mliu@polyslo.calpoly.edu
BITNET: du254@calpoly
******************************************************************