Re: OT: the detection of illegal gateways

[Lee <ler762 () gmail com>]

There's been a lot of good suggestions for finding 'illegal' routers.
The two I like the best are:
> 5) talk with purchasing dept and give them 'keywords' that they can use to
> look through purchases to see where an internet connection may have been
> purchased with a corporate credit card
>   ...
> 7) if all internet traffic is supposed to pass through an internet firewall
> or proxy, look for "lack of traffic" from IP blocks on your WAN.  Even a
> regular windows machine sitting at rest is sending out queries to windows
> update, NTP, DNS, etc.

What I haven't seen mentioned yet is using Netflow to report on layer 2 traffic.

If you're ok with writing your own software & the customer has the
right hardware you could try modifying he cisco TCL Portscanner
(http://www.packetlevel.ch/html/cisco/ciscotcl.html) to loop thru all
addresses on the user subnet doing a
  ip route $internetWebServer 255.255.255.255 $host
  connect $internetWebServer 80
  no ip route $internetWebServer 255.255.255.255 $host
to find the 'illegal' routers.

Regards,
Lee


On 5/17/10, J Hein <j.hein () ymail com> wrote:
> hi all,
> this post might be somewhat off-topic, so please accept my apologies first.
>
> I have a somewhat difficult problem to crack - there is a large corporate
> network which covers several Nordic countries, and unfortunately there have
> been cases in the past where a device with routing capability has been
> plugged into the network (for creating a "faster" connection to the internet
> for a branch office). Because this violates corporate policies and creates
> "invisible" entry points to the internal network, I have been given a task
> to find a suitable software for finding such kind of illegal routers.
>
> Are there any good products for detecting illegally installed boxes with a
> routing capability? One of my fellow consultants suggested IP Sonar (by
> Lumeta) for this purpose which (as he claims) has been successfully used by
> BT in the past. From the product description I've got an impression that IP
> Sonar cleverly uses traceroute for detecting routers that illegally exchange
> information between internal networks and the internet (so called "network
> leaks").
>
> I understand that router detection is a complex issue, and in order to
> address this problem fully, one needs to analyze traffic that flows through
> all key routers and switches in the whole corporate network. Unfortunately,
> since the deployment of such monitoring system takes a lot of time, I'd like
> to begin with a relatively simple solution which attempts to locate network
> leaks by polling the network from few points only (like IP Sonar does, using
> traceroute for that purpose).
>
> Can anyone recommend any such commercial or open source tools? (open source
> utilities would actually be my preference :)  Also, what is your experience
> with IP Sonar -- is it really a good stuff?
>
> Thanks in advance :)
> --
> jhein
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------