Detecting Unauthorized Devices | Protect Your Information with Intrusion Detection (Power)

Intruders are constantly attempting to bypass security systems. After all, why break the firewall if you can bypass it by connecting to an unauthorized modem, or by intercepting the authorized user's password using a sniffer and then providing it at the firewall?!

Regular Revision of the Devices

To eliminate one of the possible ways of penetrating a protected corporate network by bypassing the installed security tools, it is necessary to perform a complete revision of all systems, network and peripheral devices (for example, remote access servers or modems) at least once per month (and sometimes even more frequently). This revision can be performed using network management systems, as will be shown in Chapter 7. Naturally, if you are planning a revision, it is necessary to have the network map prepared beforehand.

Sometimes, you might need not only to implement a remote inventory using automated systems, but a local revision as well, in order to make sure that a specific device is physically present. This will allow you to guarantee that the intruders will be unable to use remote inventory procedures. When you are getting prepared for such procedures, do not inform anyone except for the persons who actually need to know about your preparations. This will prevent intruders from hiding or temporarily removing unauthorized devices.

Special mention should be made of the difficulties that you might encounter when taking an inventory of wireless devices, which have become more and more common. Unfortunately, at the time of writing, the tools for scanning wireless networks are not many. Among these, I will like to note the WaveStumbler freeware utility (http://www.cqure.net/tools08.html), and one commercial product - Wireless Scanner, from ISS.

Warstorming - the New Word in Hacking Wireless Networks

Australian hackers from Perth feel rather comfortable on board a small plane at a height of 460 meters. What could be hacked there except the plane's systems? You might ask. The answer is easy. Currently, there are lots of companies using wireless networks, and their number is tending to grow. Wireless networks are very convenient, but most companies simply do not pay sufficient attention to their security. As a rule, their wireless networks are not protected at all. Everyone who wants to connect is free to do so. Thus, the hackers decided to fly over the city, and found about 95 hosts, using only iPaq a notebook with the appropriate software installed. Previously, hackers had tried to search for wireless networks using cars or bikes, or simply by walking with their notebooks and PDAs. This occupation became known as "warstorming" (a combination of "wardriving" and "barnstorming"). The origin of the term "wardriving" is interesting: in the past, hackers dialed using a list of phone numbers, in the hopes of dialing a phone number with a modem. This occupation became known as "wardialling." Walking in search of wireless networks is called "warwalking," and doing so with a car is "wardriving."

Controlling Modems

To detect the presence of modems in a network, you can to use special programs that use various methods to perform remote checks on dozens, or even hundreds of hosts. Usually, such programs use one of two main operating principles. The first one is the well-known class of efficient programs, such as "wardialers", "carrier scanners," or "pbx scanners." These programs dial the specified range of phone numbers in search of modems installed at the other end of the line. Examples of such programs are THC Scan; PhoneSweep, from Sandstorm Enterprises; or TeleSweep Secure Scanner, from SecureLogix Corporation. Other systems, such as, for example, Internet Scanner, implement a mode that searches for active modems installed on workstations and servers by analyzing the system registry. (Obviously, this method only applies to the Windows platform). A separate category of products includes tools for searching remote access systems, for example, Remote Access Perimeter Scanner (RAPS) from Symantec.

Like an inventory, it is recommended that you run these programs on a regular basis.

Uncontrolled Modem Usage

When performed auditing procedures in large banks, I detected several computers to which modems were connected. In the course of the investigation, it became evident that the presence of only one of these modems was authorized (the device was installed to provide access to a remote database). All other modems were installed by the bank employees, who used them for accessing the Internet, bypassing the firewall system of the bank's LAN. One computer with a modem connected was found to have the pcAnywhere program installed, enabling the employee to access confidential data from his home computer.

It is necessary to identify traffic with sender or recipient addresses belonging to external networks in relation to the protected network, but not registered by the firewalls or perimeter routers. This will allow you determine whether unauthorized modems are present in your network. For example, employees might use unauthorized modems to access the office network from home or to access the Internet by bypassing the firewall. There are lots of tools suitable for the detection of such traffic: intrusion detection systems, internal network equipment log files and various decision-support systems. For example, the SAFEsuite Decisions system, belonging to the last category, can detect attacks that were not detected and stopped at the firewall, but were noticed within the internal network.

Controlling Access to Physical Resources

Most of us suffer from basic mental habits, due to which we often forget quite simple questions. Naturally, the information in computer systems has the form of zeros and ones "roaming" in the networks. However, do not forget that the same information can be contained on diskettes, CDs or other media, including carbon copies. These physical devices also might become potential targets for intruders. Thus, it is necessary to provide physical protection for all components of the informational system.