RE: finding undocumented external connections

[Gary Crumrine <gcrum () us-state gov>]

One thing I think this discussion has missed, is the fact that if the 
company has a security policy, you may need to update it to today's 
business needs.  If there is a legitimate need for connectivity to the 
Internet, and you are not currently serving that need, you are forcing 
users to circumvent the system.  I think it would be a good idea to work 
with them to build a business case, then go ahead and provide the needed 
service in a safe and secure manner.   Then when you find illegal stuff, 
you have to consider it as a hostile act and deal with it accordingly.

I have found that users will cooperate if they feel you are sincere and are 
willing to work with/for them.

-----Original Message-----
From:   torkel.thune () kreditkassen no [SMTP:torkel.thune () kreditkassen no]
Sent:   Wednesday, August 05, 1998 6:45 AM
To:     firewall-wizards () nfr net
Subject:        RE: finding undocumented external connections

Another way to check for unauthorised modem user is to log all external
numbers going through you PBX and compare this file against a database of
known ISP numbers - then you have to pay the caller a visit.
We tried this and got some interesting results!
But be sure you have legal and management cover before you do this!

Another line of defence in your work with removing unauthorised connections
is to educate your IT Maintenance people to look for and report if they
find traces of such connections, e.g., loose cables connected to COM-ports,
change in configuration of the clients.......


Torkel Thune






"Stout, Bill" <StoutB () pios com> den 03.08.98 17:04:29

Send svar til "Stout, Bill" <StoutB () pios com>

Til:  Firewall-wizards <firewall-wizards () nfr net>
cc:    (bcc: Torkel Thune/HK/CBK)
Emne: RE: finding undocumented external connections




Watch for unknown IP addresses on the net, or lots of traffic to one
node that may act as a gateway.  To do this you need a monitor on each
local network (either sniffers, network probes, IDS, or other).  Once
you see a foreign address, trigger a script to traceroute it, probe it,
identify it.

If your users add a modem to a PC, you won't see it from the network.
You can wardial each area-code/prefix, but you'll miss modems which are
not in auto-answer mode.  Wardialers will catch users who created
dial-in access to your net (carbon copy, PC-anywhere, RAS, PPP/terminal
servers, etc).  Requesting a copy of each offices' phone bill may be of
some help, but multiple departments may be paying separate bills.

Company policies help, if the directors and employees take them
seriously.

Bill Stout

> ----- Original Message -----
> From:   Ng, Kenneth  [SMTP:kenng () kpmg com]
> Sent:   Friday, July 31, 1998, 8:01:08
> To:     Stout, Bill
> Subject:     finding undocumented external connections
>
> [To unsubscribe, send mail to majordomo () lists gnac net with
> "unsubscribe firewalls" in the body of the message.]
> -
> I have a question to those people who run large networks.  Sorry this
is
> not directly related to firewalls, but I believe it to be reasonably
> close.  If you have lets say a hundred or more offices, it becomes
> impratical to visit each and every one can conduct an audit of the
> network in that office.  What methods are there for finding out if an
> office has set up an unauthorized connection to either the Internet or
> to another company?  Currently the only way I know is to see if an
> unusual route shows up on the WAN.  Yes I know that the best system is
> for people to report such connections, but if this was a perfect world
> we wouldn't need locks on our doors.  Thank you in advance for your
> suggestions.
> ----- End Of Original Message -----