Archive

Posts Tagged ‘forensics’

Rogue Machine Discovery Using DHCP Hostname Analysis

October 23rd, 2009 No comments

An important aspect of defending one’s network is controlling what devices actually get on said network. In fact, several of the big name IT regulatory schemes – SoX specifically, though probably some of the others as well – have specific requirements to control access to network assets. Depending on the nature of a business, the financial resources available, and the prevailing culture of the workplace this can either be a relatively simple task or something approaching the Sisyphean level. There are also two levels of people we are trying to keep off: end-users who are either ignorant or dismissive of established policy concerning network access and the “determined individual”, be them malicious or just not wanting to follow the rules.

This process was developed at ThatPlaceIWorkâ„¢ as a stop-gap measure to help determine machines that were attached to the internal network but which were not maintained or managed by us. It is definitely aimed at the first group mentioned above – it is somewhat trivial to overcome by a knowledgeable person, but that is not the goal of the exercise. Our business, by the nature of our industry, is very free-flowing and the culture does not adapt well to overt controls – any controls that are leveraged have to walk a fine line between effectiveness and intrusiveness. The vast majority of machines that are being placed on the network that should not be there are either personal machines of employees or those of guests being brought into the agency. Some of these machines come in infected with malware, as determined by our IPS systems. They have no business being on the internal network and there is written policy against such a practice. Weak consequences of policy infringement keep these policies from being effective on their own. Therefore we developed this process to help control the use of undesired machines until such time as a better process could be put in place. Again, this is not a NAC solution, it is merely a way to quickly narrow down a list of machines that may be on the network in defiance of policy. If you really want to keep machines properly segmented, either implement something like wired 802.1X (which we are moving to) or full-body cavity searches at the door.

Read more…