Security for All Sizes: What’s on My Network?

There is so much more to security than:

1. Find the hackers.

2. Shut them down.

First of all, we need to know what, exactly, is on the network and what it does and whether or not it should be doing that function while connected without restriction to the rest of the network.

But before we tackle the question of what should be on the network, we need to go about discovering what is on the network, and this can be a journey full of surprises.

Typically, the start of this investigation will involve someone saying that everything that is connected to the network are phones, PCs, access points, and the printers. Oh, and also the badge readers. And the security cameras. But that’s it. Besides the barcode readers. That’s all, though. Hang on, we also have some digital signage…

At this point, you may now take what anyone has to say about what’s on the network with a grain of salt. It’s time to answer this question for yourself.

In a small company, you may be able to track down all the devices by hand during an off hour or two. It’s a great exercise and will prove invaluable for doing troubleshooting.

In a medium-sized company, this cannot be done alone. You’ll need a few other people to help out. That, or you’ll just do it all over a much longer period of time… however it’s done, you’ll likely also need some form of automation of tasks to get all that data collected in a usable way.

For a large company, this cannot be done alone. You will need tools. You will need a project manager. You will also need cross-team cooperation.

For all of these investigations, you will also need to talk to people that don’t usually talk to folks in IT. You will need to talk to them because they have connected things to the network, the likes of which you have never seen on a network ever before…

… and watch me talk about those things without once using a catch-all phrase that describes all of them…

In the small company, especially one that’s going through initial growing pains, there aren’t enough ethernet ports in wall outlets. That means, most likely, a cascade of cheap, unmanaged switches, also known as “cockroach switches” because when you see one of them, there’s a thousand more, hiding in the dark places of the office.

Because the switches are unmanaged, finding out what’s connected to them can be a chore. It can be done, but it may involve tracing cables up through holes in the ceiling and then dropping down into a room next door. You might also find the switches themselves in the ceiling space, acting as repeaters so the 100m cable from the main switch can extend into the nearby office space that was recently leased out.

In medium and large companies, even those with plenty of accessible wall ports available, people will bring in their cockroach switches and plug ’em in. Why? Maybe you should ask the developers who want to run 7 boxes in their cubicles and who don’t know they can requisition an old Cisco 3750 that’s still good, but was decommissioned last year. It could also be a boss that wants to have an extra laptop running or an app team that wants to have a concentration of monitoring devices for a war room or something similar.

But switches you can expect. I mentioned the unexpected, and I will now deliver on that promise.

Small companies have it lucky. Once the odd things are found – be they cameras, badge readers, printers, industrial devices, barcode scannersautomated fryers, refrigeration units, glucometers, or environmental controls, the person doing the discovery is not far away from the person responsible for those devices. And by “not far away”, I mean that both in the sense of both physical and organizational distance. The company is still small enough to have a familial feel to it, where everyone can walk up to everyone else.

Once you meet the person responsible for the unusual device, you’ll get a story behind it that’s likely to contain the business reason to have the device on the network. That, or a promise to get it off the network if it’s causing a problem.

In the medium-sized company, it’s a longer walk to have that kind of chat, and maybe you also have to go through a manager in order to have permission to engage in that kind of talk. You might even have difficulty finding out who you need to talk to about the serial-to-ethernet devices, the USB-to-ethernet devices, and the parallel-to-ethernet devices.

Also, you’re now more at risk to find ancient history still connected to your network. The small companies also tend to be *new* companies, so they tend to have new gear. Medium companies have likely been around for a while, and that means they could have devices that the company forgot about… devices that are now no longer supported by their vendors and which will need replacement in order to not be the security threat which they now constitute.

But for diversity and legacy, nothing beats the large company. The bigger it is, the crazier the scenario can get. Time for my disclaimer – I work for a company that makes a product designed to discover devices on the network and then classify them (among other things), and I have lots of large companies for my clients. With that disclaimer out of the way, I was recently at a client where, in the space of one hour, we reviewed a proof of concept deployment and found the following things on the wired network:

1. A cockroach switch.
2. A Nintendo.
3. A Windows 98SE PC. (Also connected through a cockroach switch, just for good measure.)
4. A network range used in more than one place.

Oops, forget to mention that fourth thing in my previous paragraphs. But, it’s a sad fact of physics or biology or some kind of science that, as companies grow, growing with them is the chance that some self-proclaimed techie will set up a network using an address space already operational somewhere else. The worst case of this was where a site that had a large number of guest wireless devices utilized the entire 10.0.0.0/8 range for it. We found it about a month after it was created, in the course of tracking down intermittent and unpredictable network timeouts and connection refused errors…

But I’ve seen earth movers, cows, ATMs, lightbulbs, drug pumps, silicon wafer fabs, vending machines, cash registers, information kiosks, ovens, refrigerators, pneumatic drills, scales, televisions, cars, personal health monitors, vacuum cleaners, and baby monitors all on customer networks. It’s not just that if there’s a thing, there’s both porn of it as well as an Internet-enabled version of it. It’s that those internet-enabled things will show up on your networks because either they were purchased and connected by the organization, or because people who work at that organization decided to bring them in and connect them up.

Some of those things are just fine, if they stay on guest networks. Some of those things are just fine, provided they are on segmented networks with limited or no access to the rest of the corporate networks and/or the Internet. And some of those things don’t belong anywhere on any network. The final say on which devices go where is up to the organization’s mission, values, and overall security posture.

But, before you can decide what should or should not be on the network, you need to know what *is* on the network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.