Firewall Wizards mailing list archives
RE: finding undocumented external connections
From: Gary Crumrine <gcrum () us-state gov>
Date: Wed, 5 Aug 1998 13:06:31 -0400
One thing I think this discussion has missed, is the fact that if the company has a security policy, you may need to update it to today's business needs. If there is a legitimate need for connectivity to the Internet, and you are not currently serving that need, you are forcing users to circumvent the system. I think it would be a good idea to work with them to build a business case, then go ahead and provide the needed service in a safe and secure manner. Then when you find illegal stuff, you have to consider it as a hostile act and deal with it accordingly. I have found that users will cooperate if they feel you are sincere and are willing to work with/for them. -----Original Message----- From: torkel.thune () kreditkassen no [SMTP:torkel.thune () kreditkassen no] Sent: Wednesday, August 05, 1998 6:45 AM To: firewall-wizards () nfr net Subject: RE: finding undocumented external connections Another way to check for unauthorised modem user is to log all external numbers going through you PBX and compare this file against a database of known ISP numbers - then you have to pay the caller a visit. We tried this and got some interesting results! But be sure you have legal and management cover before you do this! Another line of defence in your work with removing unauthorised connections is to educate your IT Maintenance people to look for and report if they find traces of such connections, e.g., loose cables connected to COM-ports, change in configuration of the clients....... Torkel Thune "Stout, Bill" <StoutB () pios com> den 03.08.98 17:04:29 Send svar til "Stout, Bill" <StoutB () pios com> Til: Firewall-wizards <firewall-wizards () nfr net> cc: (bcc: Torkel Thune/HK/CBK) Emne: RE: finding undocumented external connections Watch for unknown IP addresses on the net, or lots of traffic to one node that may act as a gateway. To do this you need a monitor on each local network (either sniffers, network probes, IDS, or other). Once you see a foreign address, trigger a script to traceroute it, probe it, identify it. If your users add a modem to a PC, you won't see it from the network. You can wardial each area-code/prefix, but you'll miss modems which are not in auto-answer mode. Wardialers will catch users who created dial-in access to your net (carbon copy, PC-anywhere, RAS, PPP/terminal servers, etc). Requesting a copy of each offices' phone bill may be of some help, but multiple departments may be paying separate bills. Company policies help, if the directors and employees take them seriously. Bill Stout
----- Original Message ----- From: Ng, Kenneth [SMTP:kenng () kpmg com] Sent: Friday, July 31, 1998, 8:01:08 To: Stout, Bill Subject: finding undocumented external connections [To unsubscribe, send mail to majordomo () lists gnac net with "unsubscribe firewalls" in the body of the message.] - I have a question to those people who run large networks. Sorry this
is
not directly related to firewalls, but I believe it to be reasonably close. If you have lets say a hundred or more offices, it becomes impratical to visit each and every one can conduct an audit of the network in that office. What methods are there for finding out if an office has set up an unauthorized connection to either the Internet or to another company? Currently the only way I know is to see if an unusual route shows up on the WAN. Yes I know that the best system is for people to report such connections, but if this was a perfect world we wouldn't need locks on our doors. Thank you in advance for your suggestions. ----- End Of Original Message -----
Current thread:
- RE: finding undocumented external connections Stout, Bill (Aug 03)
- Re: finding undocumented external connections Lyndon David (Aug 04)
- <Possible follow-ups>
- RE: finding undocumented external connections torkel . thune (Aug 05)
- RE: finding undocumented external connections Gary Crumrine (Aug 05)
- RE: finding undocumented external connections Marcus J. Ranum (Aug 05)