Tracking Down New Devices After The Holiday Season
New Devices = New Year Challenges
As 2017 draws to a close I would like to take this opportunity to wish all my business and Infosec contacts a Happy Christmas and best wishes for the new year. It is also the season for exchanging gifts and the top of many peoples list is a new phone, tablet or some other IoT gadget. It is amazing what you can get for so little now. I just watched a video about an Android powered smartwatch that comes with a SIM slot, camera, touchscreen, access to Play Store plus many other features and you get all this for $12.
The challenge that these devices brings is that they may end up on corporate networks. No big deal you may say but all it takes is for one compromised system to bring down your network with a malware infection. The portability is the problem, users walk past your firewall with their shiny new device and suddenly you have a problem inside your network.
Another issue is the potential bandwith grab that new devices bring. Many will need updates and as soon as they get on a network with lots of bandwidth they start downloading updates. Some of these can be over 2GB in size which can swamp WAN or Internet connections.
How can you detect new devices on your network?
One of the best ways to detect new devices on your network is to monitor network traffic going to and from a number of key points including:
- Internet gateway
- Internal interfaces of proxy servers
- DHCP queries
- DNS queries
- Network interfaces going to WAN routers
One of the easiest ways to monitor network traffic is to use a SPAN, mirror port or TAP. These allow you to get a full copy of network traffic as it passes through a switch. The main thing to remember is that you don’t need to monitor every port on your network, just focus on the ones I have listed above.
Once you have a traffic source in place you then need to extract certain information from the network packets which will allow you to report on new network devices. For the purposes of this blog I am going to use our own LANGuardian system and it can extract device metadata from the packets. The video below details the steps neccessary to monitor Internet traffic and you can extend this to include other network points.
Monitoring Internet Traffic. Proxy & Direct
One of the richest sources of data when it comes to monitoring new devices is Internet traffic. Most wired and wireless devices try an access external services to download updates or to send and receive data to cloud services. Buried within this data will be certain pieces of metadata which can reveal what devices are on your network.
The image below shows an example of metadata captured from Internet traffic which is then used to build up an inventory of what devices are connecting to your network.
Monitoring DHCP Requests
New devices connecting to your network will normally send out a DHCP request so that it can get an IP address which it then uses to communicate. If you monitor these DHCP requests you can start to build up an inventory of what devices are connecting to your network. The screen shot below shows an example of what you should be capturing. Here you can see the device MAC addresses with associated hostname and IP address. An alert can be triggered on LANGuardian if the MAC address is new so you know when a new device connects to your network.
Monitoring DNS Queries
Once you start to build an inventory of what is connecting to your network, you should also try and capture some associated data. A good example would be to capture all DNS queries that devices on your network are sending. These queries can reveal a lot about what the devices are doing and what sort of applications they are running. In the example below we can see that there is a device active on our network and it is running cloud apps like WhatsApp and GMail and it is running the Township game.
Monitoring network interfaces going to WAN routers
As I mentioned previously, wireless\IoT devices can consume large volumes of bandwidth. Businesses can be impacted if users in remote sites start complaining that the “network is slow” and all it takes is for one device update to swamp a link. Make sure you are monitoring what applications are using your bandwidth.
An easy way to do this is to monitor the network interfaces on your WAN routers with a product like LANGuardian. It can also associated network activity with usernames so you know who is doing what on your network. A sample of this username integration is shown in the image below.