Inventory of Authorized and Unauthorized Devices

Creating an inventory of authorized devices on a network is relatively straightforward when the network is first installed, certified as to the physical layer, physical topology, and hardware defined addresses used to access the physical media. For example, this includes not merely an inventory and maps of all conductors in a network, but also a database or chart that includes the MAC addresses coded into each network interface card.

This control is important as this initial map of the wiring, and of the MAC or other addressable hardware devices or serial numbers, or related elements which create the network that can function without external connections in that the network is stand alone. As a stand alone network, it is not initially dependent on external resources, and the network wiring, routers, switches, and MAC address, prior to their conversion to outward facing addresses or appearance on the outside of the border routers or other interface devices.

This first involves those devices that the physically present in the premises, and inside the controlled or controllable space. These are the assets, which are physically accessible in their entirety to the systems and network administrators. This initial “physical plant” of the various networks can be locked down in physical space, and then locked down through electronic measures. By the implementation of this control, there can be supervision of localized resources to protect against tampering, physical theft, and control of physical access. Additionally, these maps, databases, and charts are one of the first-lines of troubleshooting tools and anti-intrusion measures. While an automated mapping application removes much of the man-power needed, it does not under any conditions replace a physical audit, and certification that what appears to be, actually in reality is.

While audits and inventories may include higher-level addresses (IP addresses), NAT interpretations, and DHCP addresses, each local network exists first in the physically controlled local space, and it is in this physical space that the initial audits and inventories must begin.

A modern network installation usually involves a surplus of cable and connectors being installed in the horizontal and physical planes, and this provides the first third of the final network. The second third is the asset that provides input or output such as a computer, alarm sensor, printer or similar device. The final third of this network is the interconnecting device such as a switch or device that interconnects local devices to one another.

As a network expands through the local routers or NAT functions, it is all too easy to revert to TCP/IP addresses assigned by the routers, but there needs to be preservations of all media access addresses, device serial numbers, licensing keys, physical position and location of the device, and hopefully a photograph of the device as it appears in the location. This very early, and very essential inventory of “all local devices” derived from the wiring, the serial number on boxes, the MAC on the boxes, and license numbers (on boxes and cases) becomes this often over-looked initial step.

In the case of a switch or a router, each port, and interface must be very closely inventoried in this first step if this information is to be of significant value in the future. When it is feasible to do so the interior of the chassis should be photographed, to include photographs of internal cards or chips that may contain serial numbers. In the case of a router, switch, or NIC card the internal photography is also performed in order to detect future unauthorized equipment modifications that may suggest espionage being performed through the insertion of comprised interface cards, which add a covert signal path.

If an initial inventory and audit is not performed, these comprised devices, and covert paths will not be prevented in the future. Ah, but this also must go one step beyond, and equipment must be assumed to have been tampered with in the supply chain, and interface cards, operating system, and other elements of each system must be checked for tampering after acceptance, but before installation. This results in an extensive document trail being created in advance of the equipment being hooked up to the local network, and of course well prior to initial power-up, or the passing of data. Further, within this initial configuration data not being memorialized, tested, and documented there will be no records to compare against future equipment or network configurations.

While many network technicians or administrator vehemently resist collecting cable level certifications and documents, and tend to misplace purchase and shipping documents, and very few pay close attention to the stickers and markings on the box, and price of a commodity tends to be more of a driving force, over that of supply chain integrity. The methods to address this issue to foster a certain level of zeal towards collecting paperwork and preserving in a meaningful way, so that it will considered an asset to the management of assets, and not merely just “a pile of paperwork.” To this end, documents are scanned into the equipment databases, along with standardized photography of the shipping containers and their contents, and the creation of an extensive paper trail. Additionally, when the cables are subjected to initial certifications, these documents are also included, so that every document is available to the finger tips of the technical folks, and while they may add to the database, they do nor delete data from it.

When the network management software detects a new entity of any sort either at the MAC level or at the TCP/IP level the routers and other devices automatically lock out the unknown device, and fire off a administrative alarm to the network team, who can authorize the device as a just installed asset. This automated lockout function seeks to render foreign devices powerless as soon as their appear, and in the absence of an over-ride the device will remain permanently locked out, and neutralized.

When properly administered, success is measured by the speed at which the slightest anomaly, physical breach, or attempted penetration is detected, neutralized, and also carefully documented.

My professional preference is for all routers to divert unknown devices to a DMZ/sandbox and to lock that foreign device out of all routers and switches, but to permit it to pass into the sandbox to faked/decoy data and virtual networks and to packet capture (at the hardware level) to study the modes and means of the attack.

But, success is measured by the speed of detection and of the lockout being implemented, and it must be automatic with response times measured not in seconds or minutes, but rather in microseconds, with the block and diversion taking no more a few milli-seconds to propagate throughout the entire enterprise.

 The mechanisms of a boundary defense must be based on the initial assumption that the devices on the border or the boundary of a network will be the primary defense mechanism in that they must pass legitimate traffic to and from the legitimate internal network while at the same time diverting suspect or hostile traffic to a DMZ/sandbox network, and this must take place in real time on a packet by packet basis. But, the enterprise can not merely rely on protecting itself from external threats, as it must also detect anomalous internal network activities, and divert those activities and lock-down those MACs without human intervention, fire off an alert to network administrators and security personnel, all the while keeping the anomalous machine or user active, just not able to access off-limits servers, databases, or potential victims. While the employees at an enterprise may be regarded as trustworthy, the machines they use should be regarded as an ever-present threat to the enterprise.

If this is not implemented, an external attacker will go undetected, or undeterred, and an internal attacker will be able to run amuck and potentially infect or afflict all of the other computers, and network infrastructures in an enterprise. Not only must external intruders be diverted, but internal rogue machines, and the occasional rogue user locked down and their every packet recorded for analysis.

The initial means to do this is to create a “gray list” for what would normally be regarded as a “white list”, plus the inclusion of “black lists” right at the border devices for incoming/outgoing traffic. But, to also operate a border-within-a-border, but like the concentric rings of an onion. In this way anomalous activity that originates inside the enterprise is diverted in one way, and traffic flowing outside the enterprise is handled in a different way. Essentially identical routers, but facing opposite ways, one to control internal traffic, the other to control externals.

But, in each case there is a sandbox or DMZ that is used to divert the traffic and to provide either the malware or the actual hacker with a great expanse of faked attack surface that is capable of not only saturating the attacker resources, but which will do so in a way that limits the impact on the network being targeted.

This can even go so far so as to place a bait server in the DMZ and then restrict bandwidth to the bait server, to slow down the attack, and to watch for one form of attack or theft to morph into multiple types.

There are many variable that can be used to trigger a diversion to a DMZ/sandbox, but whatever the mechanism to do this, it must be invisible to the originator of the anomalous action.

Filters, traffic analysis, port inventories, session length can all be used to detection when something anomalous has taken place, or is taking place, or is about to take place.

Response time must be measured in packets, or in micro-seconds, and when properly implemented an attack is literally shut-down and diverted as the attack or illicit access of being set up, so that once it is launched, it launches into the DMZ and not into the live network or servers.

Success is measured by the speed in which the border routers or security appliances/firewalls are capable of detecting suspect activity and seamlessly diverting the traffic and packet form into the DMZ and logging the packets.