Re: OT: the detection of illegal gateways

[Kurt Buff <kurt.buff () gmail com>]

On Mon, May 17, 2010 at 02:39, J Hein <j.hein () ymail com> wrote:
> hi all,
> this post might be somewhat off-topic, so please accept my apologies first.
>
> I have a somewhat difficult problem to crack - there is a large corporate network which covers several Nordic 
> countries, and unfortunately there have been cases in the past where a device with routing capability has been 
> plugged into the network (for creating a "faster" connection to the internet for a branch office). Because this 
> violates corporate policies and creates "invisible" entry points to the internal network, I have been given a task to 
> find a suitable software for finding such kind of illegal routers.
>
> Are there any good products for detecting illegally installed boxes with a routing capability? One of my fellow 
> consultants suggested IP Sonar (by Lumeta) for this purpose which (as he claims) has been successfully used by BT in 
> the past. From the product description I've got an impression that IP Sonar cleverly uses traceroute for detecting 
> routers that illegally exchange information between internal networks and the internet (so called "network leaks").
>
> I understand that router detection is a complex issue, and in order to address this problem fully, one needs to 
> analyze traffic that flows through all key routers and switches in the whole corporate network. Unfortunately, since 
> the deployment of such monitoring system takes a lot of time, I'd like to begin with a relatively simple solution 
> which attempts to locate network leaks by polling the network from few points only (like IP Sonar does, using 
> traceroute for that purpose).
>
> Can anyone recommend any such commercial or open source tools? (open source utilities would actually be my preference 
> :)  Also, what is your experience with IP Sonar -- is it really a good stuff?
>
> Thanks in advance :)
> --
> jhein

This is a very tough problem, and I don't think you can solve it with
only a software package, or at least not easily.

The problem involves at least two classes of hardware: standalone
router/firewall devices brought in from the outside and second NICs in
company-issued machines (which includes tethered phones, such as
iPhones and Androids).

Assuming that the authorized switches/routers in the network are
intelligent, I think your best bet is to use them to do
pings/traceroutes through each IP address they know about on their
network to some public IP address and have them report back.

However, even this will not work if the person who set up the machine
is lucky and/or good enough to set up the device to drop those packets
on the floor.

A second measure, assuming that Windows is the OS used by all of these
machines, and that you have Administrator access, is to do a hardware
inventory of machines frequently via a software package (heck, it
could be as simple as 'psexec ipconfig /all' run against all of your
Windows machines) and note the NICs in each machine, the IP addresses
assigned. With those data, you can see who has a multi-homed device.
Also, you can then note the difference between the addresses consumed
by machines for which you had Administrator access and the pool of
actively used IP addresses on each subnet, which will tell you a lot
about machines which are probably unauthorized anyway.

Kurt

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------