“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzo, The Art of War
A couple of months ago a client of ours discovered that a machine in a remote office had been infected with ransomware. Through the post-mortem, he discovered that the infected machine had been placed on site by an outside vendor; that the computer had Remote Desktop Protocol (RDP) enabled and exposed to the outside world; that the username and password to the account were trivial (1-2-3-4 anyone?).
Yes, the password was terrible. Yes, it was exposed through the firewall. But the start of the problem was the fact that no one in IT even knew the machine existed.
What’s On Your Network?
I know you think this can’t happen to you. But try answering these questions:
- How many open network jacks do you have in your building? (Anyone can plug in!)
- Do you have WiFi in your office?
- Even if it’s private WiFi, how much do you trust your employees not to give out the password, or use private WiFi for their personal devices?
Here are a couple of steps to find out what has been connecting to your network:
- Go to your DHCP server and look at the lease table
- If you host your own DNS, take a look at the names of the clients that have registered
- Open your firewall and look at the client connections
Often when I step into a new client’s office, I’ll pull these lists and start taking notes. Usually it’s easy to find out what doesn’t belong. Once, in a list of DHCP clients, I saw the usual, corporate-looking pattern of machine names: “Workstation-01”, “Workstation-02”, “Workstation-03”, etc. And there, in the middle of the list, was one named “BADMUTHUF**KER”. Like a sore thumb, right?
Most often, however, I find employees’ personal phones and tablets connected to internal WiFi networks, or even employees’ friends who have connected. It’s who you know.
Know Your Enemy
We’ll talk about knowing yourself later, but the purpose of this post is to help you know your enemy. How do you keep up with the devices that connect to your network?
We gear what we do to small to medium-sized businesses. Unfortunately, in the SMB space, it’s hard to keep abreast of what’s connecting to your network. In the enterprise space it’s much easier; Install Splunk, start monitoring your DHCP server, IDS and Firewall logs, and you’re in pretty good shape. Or, enterprises can sharply limit what can connect to each port on each switch through hardware configuration, and use certificate and LDAP authentication to limit WiFi to individual, authenticated clients. But as you can guess, these options require highly skilled workers and expensive hardware to keep the whole thing running. Not to mention monitoring for violations.
Options For The Small Business
We’re “Shoestring Networks”. We want to help you build a safe, secure network on a shoestring budget. With that in mind, here are a couple of utilities you can use to help you stay on top of your network inventory.
- Spiceworks (https://www.spiceworks.com) – I love Spiceworks. It’s a free, full-featured IT helpdesk system. It’s ad-supported, so you’ll get lots of geek ads in your face when you use it, but I don’t mind because of what it gives me. One of its features is an inventory piece. It periodically scans your network to see what’s out there, and can alert you to new devices based on settings you configure (by default it’s via a “Coffee Report” delivered weekly by email). It can’t notify you in real-time when a device connects, but you can tell Spiceworks to send you an email each time it finds a new device on your network, and you can set the scan interval to a lower value than its default of daily at 2 am (as low as every 5 minutes). Of course, the lower you set it, the more work the system has to do.
- Nnap / Zenmap (https://nmap.org/download.html) – Nmap is a free network scanning tool that’s been around a long time. Nmap is a command-line tool, but Zenmap is a decent GUI that overlays nmap’s output. NMap is relatively fast and can be customized with scripts to help you identify specific types of devices. It can fingerprint target devices and scan for open ports and services. One of the first things I do in a new engagement is pull out Nmap and run a complete network scan so that I can get an idea of what I’m working with. Unfortunately, again, this won’t give you an automated notification of new devices, but over time it will help you build an inventory of your network.
- Advanced IP Scanner (http://www.advanced-ip-scanner.com) – Advanced IP Scanner is another great little on-demand network scanner. Besides giving you basic information about devices like device name, IP address, MAC address, and logged-on user, it will also scan open ports for common services and give you a quick interface for accessing those services on the target machine. Finally, it caches the output so that you can get an idea of machines that it’s found in previous scans, and whether they’re online or not. Again, it’s an on-demand scanner, so nothing automatic, but it helps you get an idea of what’s on your network.
- BinaryPlant Arp Monitor (http://binaryplant.com/arp-monitor) – Most small networks I work with are Windows-based, and the companies don’t have a Linux geek on hand. That’s unfortunate, because there’s a nice little Linux utility called Arpwatch that constantly monitors your network and notifies you by email whenever a new device connects. That’s the holy grail! But I have yet to find a Windows equivalent. However, Arp Monitor from BinaryPlant can give you some of that information when the situation is right. It’s a small application that runs in your system tray and monitors connection activity in real-time. When any new device connects to a network, it sends an Address Resolution Protocol packet out that is intercepted / detected by Arp Monitor. Arp Monitor then pops up a notification in your status bar that it’s found a new device. You can also tell it to send a network popup to a computer on your network. I wish it would email you, but alas, that’s not available. In addition, it appears that the program is no longer being updated (last update was 2009), but it still works on Windows 10, so I’ll continue to keep using it until it doesn’t (or until someone ports Arpwatch to Windows).
I’m sure there are more ways to keep an up-to-date inventory of devices on your network. Most likely you’ll have even better tools than I’ve listed here. Share them with the community in the comments below.
How do you keep up with rogue devices?