Michael Mullins CCNA, MCP, TechRepublic, February 02, 2004, 12:00 GMT
To make sure that the only devices installed on your network are the ones you put there, take advantage of the free scanning tools that are available. Are you absolutely sure you know all the protocols and ports that are open on your network? If you're not the only person with the rights and permissions necessary to add devices to your network, you'll never know what's really "live and on the wire" -- unless you listen to your network. By periodically scanning your network, you'll be able to maintain a good view of what devices are connected to it and to determine whether those devices are communicating properly and using the allowed ports and protocols.
Depending upon the OS on your administrator's workstation, you could start by using scanning tools such as fping http://www.fping.com/ , which allow you to quickly scan a range of IP addresses to detect live network connections. This is one way to determine if someone is adding devices to the network without your knowledge and/or approval.
However, some devices (e.g., wireless devices) will need a different tool for discovery. If you're looking for rogue wireless access points (WAPs), you can use tools such as Kismet http://www.kismetwireless.net/ or NetStumbler http://www.netstumbler.com/. Finding an unauthorised WAP behind your security perimeter is bad news, but not finding one that's tapped into your network is even worse.
Ideally, you shouldn't find any surprises in your network scan results. If you do, though, take these steps.
Immediately block the IP address of the WAP device at the switch where it's connected. This should provide you with enough time to find the physical device while the user is trying to discover what happened to his or her wireless network connection.
If you find unknown non-wireless devices -- such as printers, departmental FTP/Web servers, etc. -- conduct an in-depth scan and determine exactly what the device's function is. Block the device from the network until you can physically locate it and disconnect it.
For a more thorough examination of the rogue device, you can use Ettercap http://ettercap.sourceforge.net/ or Winfingerprint http://winfingerprint.sourceforge.net/. Both utilities do an excellent job of decoding the type of OS that's running on a remote device, which should help you discover the device's original purpose. These utilities also show what services are running and what ports are listening for connections.
As administrators, it's our job to ensure that only authorised and secured devices operate on the network. Besides the obvious security reasons, there are performance gains to turning off unnecessary network protocols. Turning off unnecessary protocols helps reduce network chatter and increases bandwidth utilisation.
I've mentioned a lot of network tools in this article, all of which are free. If you use these tools to listen to your network and map every IP address, you might be surprised by what you find
Edited by Chachazz, 05 June 2011 - 06:58 AM.