mliu@polyslo.CalPoly.EDU (Mei-Ling L. Liu) (11/10/88)
*** Detecting Unauthorized Connections on Your Network ***
I am anxious to hear from people who have looked into or have
implemented tools to detect unauthorized connections on their net-
works.
I have a campus network with a broadband backbone and ethernet
basebands. We are running XNS now but will soon be switching to
TCP/IP. Users are supposed to notify us (the Computing Center)
before they hook anything up to the network, but naturally some of
them conveniently overlook this rule. Up to now we have been
relying on everybody's decency to cooperate, but now it seems in-
evitable that we are going to have to police the network to catch
intruders.
If you know of any software/hardware tool for what I need, please
respond. Thanks.
******************************************************************
Mei-Ling L. Liu, Coordinator, Network Administration
Communications Services
Cal Poly San Luis Obispo
Internet: mliu@polyslo.calpoly.edu
BITNET: mliu@calpoly
******************************************************************
kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (11/11/88)
In article <5571@polyslo.CalPoly.EDU> mliu@polyslo.CalPoly.EDU (Mei-Ling L. Liu) writes: > > I am anxious to hear from people who have looked into or have > implemented tools to detect unauthorized connections on their net- > works. > I have a campus network with a broadband backbone and ethernet > basebands. We are running XNS now but will soon be switching to > TCP/IP. Users are supposed to notify us (the Computing Center) > before they hook anything up to the network, but naturally some of > them conveniently overlook this rule. I am assuming you are talking about people just "plugging in" a PC or other device onto one of your LANs and not bothering to coordinate with you. You are not talking about people trying to break into your LAN for some devious purpose. This is a problem a lot of people are going to have in future as it becomes easier to buy and install workstations or PCs. Fortunately in this case, the lack of dynamic discovery mechanisms in TCP/IP is an advantage. For this unauthorized PC to participate fully in tcp/ip applications requires some registrations. Perhaps one way to get people to register their PCs would be for the academic computing service to provide some specific services, like domain name service and e-mail to the outside world. The PC installer would have to call you to get: a valid domain name a valid IP address authorization to use a mail exchanger. Would this be enough to entice the typical PC user to call you? Of course, he can use an /etc/hosts table and smtp for himself, but I assume you could set things up so that most other people on campus would not be able to easily communicate with this PC. Ok, assume this person *still* won't call you and register, so he's out there with an unauthorized IP address and you want to find him and have the Protocol Police pay him a visit. Before too long if you have IP routers with SNMP or a smart bridge with some kind of mgmt s/w, you can have these bridges or routers send an event report whenever their arp tables have an entry made, assuming the vendor gives you that option. Log the event. Have another application run these events through a filter which compares them against an authorized list and report those arp entries that are unauthorized. Then have the Protocol Police track down the offending node and put a Denver boot on it. :-) Guaranteed to please the user community. If routers with SNMP and smart bridges of that nature are not available to you, buy an ethernet analyzer (notice I didn't say lanalyzer or LANalyzer(tm). Ok, excelan?) and once in a while plug it into a subnet and take a reading and build an arp table or just log Ethernet addresses seen in the source. Manually check against the authorized list. If you have one undifferentiated Ethernet, this is the easiest check to do. At Boston University we provide complete Ethernet systems. It is relatively easy for anyone to request an Ethernet installation. We will do the cable install and verify its operation and we will ask for the proper registrations and give advice on subnet masks and broadcast fill patterns and default gateways to use. We don't get innocent people just plugging in. We try to make it easier to call than not to call. That is my advice to you, but as I said above it will happen more and more anyway. As to snoopers and crackers, that's another level of threat altogether. This is much harder to thoroughly protect against. But if you can accurately describe the threat, we can figure out a defense. ONe of the problems with security issues is that people don't understand that you build security systems against a specified level of threat. It's like people think you can do statistics without a model of the system producing the data. It may not be explicit, but the model is there. Same with security systems; if the threat isn't specified before it will be apparent after. Problem is, that after you may find it isn't a credible threat or is the wrong one. Kent England, Boston University
bob@rel.eds.com (Bob Leffler) (11/11/88)
In article <5571@polyslo.CalPoly.EDU>, mliu@polyslo.CalPoly.EDU (Mei-Ling L. Liu) writes: > > *** Detecting Unauthorized Connections on Your Network *** > > I am anxious to hear from people who have looked into or have > implemented tools to detect unauthorized connections on their net- > works. I have an application that listens to ethernet and collects ethernet hardware addresses. We then compare this listing to the list of known nodes. With a lanalyzer it is then pretty simple to locate the foreign node. This works pretty well in our environment where we have physical security of most devices. The only real problem we get is a user that decides he wants to re-arrange his cube and starts unplugging cables. bob -- Bob Leffler - EDS, GM Truck & Bus Account (313)456-5375 bob@rel.eds.com or {uunet!edsews, rutgers, umix}!rel!bob Opinions expressed may not be those of my employer.