How to detect rogue DHCP servers, routers and NICs on a network

BROWSE BY TAG Identity Management and Access Control,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Expert Archive: Identity Management and Access Control,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Usually, performing a simple network scan will uncover many hidden applications and services you never knew were running. Scanning tools range from the venerable open source tool Nmap to high-end and expensive products for enterprise networks. However, the three situations you describe each present a unique issue which standard scanning equipment or Intrusion Detection Systems (IDS) cannot easily identify. Defending against each requires its own approach.

Let's first look at rogue DHCP servers. The crudest -- and most difficult -- approach would be to do a manual check for live DHCP servers using dhcping. This open source tool is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect.

If you use Windows NT 4.0 and later, Windows 2000, XP and Server 2003, there is a command-line tool, Dhcploc, that shows all DHCP servers in your local subnet. While this tool isn't included in the Windows default package, it can be installed from the SupportTools folder of your installation CD.

Unix and Linux users, can use dhcp_probe, a free tool available from the Network Systems Group at Princeton University's Office of Information Technology (http://www.net.princeton.edu/software/dhcp_probe).

If you are looking for a cross-platform tool to monitor network traffic, Traffic Server 4.0 from InMon Corporation can be configured to detect rogue and legitimate DHCP servers.

After you've detected rouge DHCP servers on your campus network, as a preventive measure, I recommend following these two steps. First, increase the physical security of your network. This will block access to anyone who might install an unauthorized DHCP server again. Second, if your network uses Windows 2000 or Windows Server 2003, only include legitimate DHCP servers in Active Directory. This way, any unauthorized DHCP server that attempts to access your network will be denied.

As for rogue routers, if you mean Wireless Access Points (WAP), there are two free tools you can use to scan your network: Netstumbler for Windows and Kismet for both Windows and UNIX environments. Tracking down illegitimate WAPs on campuses can be difficult. WAP sniffing tools need to be close to their target to detect them and therefore can't be managed from a central location. That's how the war driving technique received its name -- from driving around with a laptop loaded with a sniffer for detecting wireless networks.

Rogue NICs are a bit trickier since they can't be detected by traditional scanning technology. However, you'll want to block them because rogue NICs can be indicative of a workstation or server being used by someone scanning your network for open ports to attack. There are two tools that can help detect rogue NICs. Sentinel, for Linux and BSD systems, is a free download from Packetfactory (http://www.packetfactory.net/Projects/sentinel). Windows users can use Microsoft Promqry 1.0, the command-line tool, and its GUI equivalent, PromqryUI 1.0 (http://support.microsoft.com/?kbid=892853).