Check Intranet for security itself
Network Inventory and Analyze
The realization that firewalls help to evaluate and limit outbound and incoming traffic is not new. But even traffic, which does not leave its own network or does not come from the outside, can create very own dangers. Have you ever thought about which devices are communicating with each other within a company network? Even in the larger dental practice around the corner, you often find a smart TV in the entrance area, the coffee machines connected to the network (announces when it is time to decalcify), file and database servers, PCs for data collection and scheduling, network printers and Maybe a meeting room with WLAN-enabled beamer. Added to this is the WLAN hotspot, so that the practical staff can work with the notebook.
In addition, unauthorized devices are often found by employees (such as WLAN routers) or simply forgotten hardware such as obsolete laser printers, access points or unsafe EC card terminals. These should be made visible, analyzed in detail and, if necessary, shut down.
A very good tool to get an overview of all devices active in the network is OpenVAS. The security and vulnerability scanner can be used to tester individual computers for deployed services and even perform penetration tests. If you call OpenVAS on a whole subnet, the scanner tries to contact and analyze all IP addresses in typically five parallel processes. OpenVAS usually identifies operating systems correctly, but in individual cases, it is necessary to check whether a detected Linux system with a web server and directory release is the SMART TV in the meeting room or the departmental NAS
For this reason, it is advisable not only to scan a complete subnet with OpenVAS, but also to scan inactive devices and scan them for activities. A good starting point for this is the lease tables of the DHCP server. If the ISC DHCP server is running on a typical Linux system, a look in the file /var/lib/dhcp/dhcpd.leases usually shows the currently assigned IP-MAC address assignments. Since this is a pure text format, it is easy to match the IP addresses that have already been scanned with OpenVAS. Of course you will not find devices that are connected to fixed IP addresses. However, these can usually be detected via broadcasts, which also do not require the switch and network card to support the promiscuous mode, ie forward all packets, not even for the listening device. For interception, the graphical interface is provided with a Wireshark, which can already be used in live operation, or for batch processing tcpdump, which can also be started with a filter.
In particular, if you want to broadcast broadcasts for several days on the Linux server, which offers, for example, DHCP and other services, tcpdump is practical. The entire recording can then be copied to another machine and analyzed there (with Wireshark, for example).
No comments:
Post a Comment