Network Discovery: New Category of Essential Products
The solution is a variety of network discovery tools and techniques, some simple and cheap, others less so, to keep up with your knowledge of what's on the network.
A combination of security threats, legal compliance issues, and general troubleshooting complexity have motivated a growing number of security consulting firms to look more closely at network discovery as a bona fide practice area. But before you rush out and hire someone, take stock of the skill set you have in your existing IT organization, figure out a budget for the activity, and realize that network discovery has multiple dimensions (this is security, after all) and not just a one-stop shopping experience.
Larry Dietz, Research Director for The Sageza Group, in Union City, Calif., thinks there are several things to consider.
"First, there is a basic hardware and software inventory of what the client thinks he has out there. If you discover things that the client doesn't know about, then the client will think you are a genius. Second, you need to find unauthorized hardware, such as servers, wireless access points, and endpoints that users have brought into the building and running on the network. Again, whatever you can dig up is gravy."
The Basics, And Beyond
The key takeaway here is that you need to get started, and there are a wide variety of asset-tracking tools available. Microsoft's SMS, Landesk Asset Manager and Symantec/Altiris' Juice all are enterprise-wide tools that can capture a wide variety of hardware and software types and be useful for IT managers who want to ensure that they have sufficient software licenses for the number of users, or that their corporate-owned PCs are accountable.
But these tools just evaluate the basic elements, and don't really provide information on things like what is happening on the network, who is bringing in personal laptops from home, and staffers who are connecting to rogue wireless access points either by design or mistake. For these situations, you need one or more network analysis tools to be able to see your traffic patterns.
WildPackets.com' OmniPeek, Network General's Sniffer and Visualizer product lines and Wireshark.org (formerly called Ethereal) are all great tools for doing this, but require a significant investment in training to operate them properly.
"Ideally, you would like to gather this data once and reuse it for a variety of IT purposes," says Dennis Drogseth, an analyst with Enterprise Management Associates.
Such purposes go beyond mere discovery and could include optimizing applications performance, network troubleshooting, and handling compliance issues.Part of any solid understanding of what is happening on your network is knowing when something has changed, and being able to react to these changes when error messages pop up or users start calling with connection problems.
A good place to learn more about this is a site called NetPerformance.com, and in particular this posting on change management. The site also has materials on using the analysis tools and offers training classes as well in their use.
Another great source of tools for network analysis is SolarWinds. The site sells a product called Engineers Toolset that is available in a very affordable version for less than $150.
The final dimension is to examine your Web presence, including looking for unauthorized but viable Web sites that IT doesn't know about, or potentially harmful, hostile or adversarial sites such as those that may be run by ex-employees or those of competitors that provide links to questionable external sites, or blogs that mention privileged corporate information.
"This could lead to a whole series of services, such as vulnerability assessments, patch management, and data forensics," says Dietz.
What tools are available? A good place to start is to use the free scanning tools available from either SPIdynamics.com or Qualys.com. Both companies offer 30-day free licenses to try out their products, along with more extensive training classes for using the paid versions.
Another place is the self-training materials that can be found at the Open Web Application Security Project. It has samples for how to discover and harden Web servers, and very detailed examples of typical Web exploits too. It is a great place to learn more about overall Web security, as well as what you need to do to track down other kinds of Web problems. And sometimes just doing Google searches can be an effective means of finding a particular site of a disgruntled ex-employee.
One tactic is to educate your C-level executives, such as workshops sponsored by the Secure Software Forum. (The full schedule can be found here. These workshops provide a good overview of some of the problems around software security issues, part of which is discovering which applications are running over your enterprise network. The forum is jointly sponsored by Microsoft and SPIdynamics.
Brian Cohen, SPIdynamics' CEO, suggests hiring established security firms that are doing traditional vulnerability assessments of operating systems and networks and looking to expand their offerings into the Web presence area. The key is having a solid grounding in Internet security, and being able to do regular scans to ensure that changes to a Web site haven't opened up new vulnerabilities.
"Business managers have lots of problems they need to investigate compliance, security, and just general network operations. They need to be able to analyze what's happening on their network and collect the evidence for taking action, regardless of which application (email, IM, Web mail, etc.) is involved," says John Bennett, VP of Marketing for WildPackets Inc.
As you can see, doing network discovery has many different dimensions, tools, and cuts across a variety of skills. But as Bennett says, "IT forensics itself is simply a new category of must-have technology that is appropriate for any business manager today."