‘Remote Rogue Network Detection’

Summary

‘Unauthorized network links are one of the biggest problems facing large enterprise networks. Users intent on bypassing corporate proxies will often use cable modems, wireless networks, or even full-fledged T1s to access the Internet. These network links can have a drastic affect on organizational security; any perimeter access controls are completely bypassed, making it nearly impossible for the administrators to effectively concentrate their monitoring and intrusion prevention efforts. The linked document attempts to describe different approaches and techniques that can be used to detect these rogue network links.’

Credit:

‘The information has been provided by H D Moore.
The original article can be found at: http://metasploit.com/research/misc/rogue_network/


Details

The Limitations:
The techniques listed in this document will not be able to find all rogue network connections with anything near perfect accuracy. Workstations that block all incoming traffic from the corporate network would not be possible to identify through any active detection methods. Systems that are not used to access corporate web sites or email are immune to the web tracking techniques. VPN traffic that is tunneled through an outbound SSL connection would be very difficult to detect without a man-in-the-middle interceptor or private key compromise. Network anomaly detection is only valid when you have a known good baseline to compare against.

Three Approaches:
There are three distinct approaches covered in this document. They each have different requirements, levels of accuracy, and user-impact levels. The actual effectiveness of each approach will heavily depend on the configuration of the network and the way that users interact with it.

To read the full document please visit: http://metasploit.com/research/misc/rogue_network/

Categories: Reviews