RE: finding undocumented external connections

["Stout, Bill" <StoutB () pios com>]

Watch for unknown IP addresses on the net, or lots of traffic to one
node that may act as a gateway.  To do this you need a monitor on each
local network (either sniffers, network probes, IDS, or other).  Once
you see a foreign address, trigger a script to traceroute it, probe it,
identify it.

If your users add a modem to a PC, you won't see it from the network.
You can wardial each area-code/prefix, but you'll miss modems which are
not in auto-answer mode.  Wardialers will catch users who created
dial-in access to your net (carbon copy, PC-anywhere, RAS, PPP/terminal
servers, etc).  Requesting a copy of each offices' phone bill may be of
some help, but multiple departments may be paying separate bills.

Company policies help, if the directors and employees take them
seriously.

Bill Stout

> ----- Original Message -----
> From: Ng, Kenneth  [SMTP:kenng () kpmg com]
> Sent: Friday, July 31, 1998, 8:01:08
> To:   Stout, Bill
> Subject:      finding undocumented external connections
>
> [To unsubscribe, send mail to majordomo () lists gnac net with
> "unsubscribe firewalls" in the body of the message.]
> -
> I have a question to those people who run large networks.  Sorry this
is
> not directly related to firewalls, but I believe it to be reasonably
> close.  If you have lets say a hundred or more offices, it becomes
> impratical to visit each and every one can conduct an audit of the
> network in that office.  What methods are there for finding out if an
> office has set up an unauthorized connection to either the Internet or
> to another company?  Currently the only way I know is to see if an
> unusual route shows up on the WAN.  Yes I know that the best system is
> for people to report such connections, but if this was a perfect world
> we wouldn't need locks on our doors.  Thank you in advance for your
> suggestions.
> ----- End Of Original Message -----