Re: Internet Architecture Project - PLEASE HELP

Subject: Re: Internet Architecture Project - PLEASE HELP
From: Sandy Harris <pashley -at- storm -dot- ca>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Wed, 03 Apr 2002 12:38:22 -0500


Arlen -dot- P -dot- Walker -at- jci -dot- com wrote:

> >2. Scan your internal network range using a tool like SuperScan from
> >Foundstone.

Also consider free tools. nmap and nessus are more-or-less standard on
Linux or other Unices. Sam Spade is widely used for tracking down
spammers. It can do large parts of this job and runs on Windows.

> That will determine what machines are there and what aren't.

Start by checking whois for the netblocks (address ranges) assigned to
your company, then finding the company DNS admins and asking them for
the DNS data.

DNS may not be enough. You likely need information on non-IP networking
as well. WINS, NetBIOS, Appletalk, IPX, ... ?

> It can also scan for open ports. If your company has any security
> >on the network
> >(which they probably don't) you'll set off the IDSs. But that will at
> least
> >show them that you know what you're doing (sort of).
>
> Ummmm.....ask permission from someone up the ladder before doing this, ...

Moreover, make sure you get the right someone(s). Permission from your
boss may not cover the Omaha office. Getting that office mad at you is
bad enough. Getting them mad at your boss is worse.

> anything. Anything DHCP should be noted, but don't think too hard about
> them; *everything* with a fixed address *has* to be documented, whether
> it's in the DNS or not (especially if not).

There can be assorted complications.

Firewalls may (in fact, should) prevent scanning of large parts of
the network. The only way to get a complete picture might be to
visit every office with a laptop full of tools, or talk to people
in every office.

Many companies use private address ranges (RFC 1918) for some internal
machines. These will not be visible from outside the company, perhaps
not even for other parts of inside.

It is common practice to have two DNS servers, one visible to the
world and one only for internal users, with quite different data
on them. The world may see only a few servers -- perhaps only
www.bigcompany.com, dns.bigcompany.com and mail.bigcompany.com --
while the internal view has far more machines. The internal view
might vary from office to office.

> Net security types get *really* hostile (think http://www.bofh.net/ --
> language advisory is hereby given) when traffic like this hits their
> precious servers; they'll swarm out like hornets looking for the poor slob
> who just kicked their nest, and you'll want to have some shelter when they
> do.

Yes, indeed.

On the other hand, if your company has a security team, or contracts
out security monitoring to an external firm (an excellent idea;
several people on the list (at least Andrew & I) would be happy to
provide quotes :-), then those are the first people to talk to. They
should already have good maps, at least of some parts of the network.

I'd ask a lot of questions about how to deal with security or
administrative problems you turn up. I would give long odds you'll
find some in most companies, and the information should not just
vanish once found.

For example, does the DNS info for every mail server include
suitable MX records? These are pointers to backup mail servers
that will accept mail if your server is down or loses network
connectivity. There's a similar issue for secondary DNS servers.

Without these, if a backhoe hits your cable, or some disaster
trashes your office building, you are out of business.

Then there's the question of unnecessary services. I once
found 11 Linux servers on a small company's network ready
to accept mail, web or ftp connections. Their underpaid
overworked new graduate sys admin was doing OK on their
Windows systems, but they didn't want to pay for NT server,
so they had him install Linux on some boxes and he didn't
realise it came with default services ...

Another question is whether software is current. For example:
http://www.sans.org/newlook/alerts/NTE-bank.html
Several dozen sites broken into and over a million credit card
numbers obtained, using flaws in NT web servers. Microsoft had
issued patches for all those flaws, but the admins of the victim
servers had failed to install them.

Of course badly maintained Unix servers are just as vulnerable.
We were once asked to have a look at security of a few of a
multi-billion dollar firm's severs. A scan told us they were
running an old version of sendmail. There was a year old CERT
alert on a flaw in it, fixed in later versions. Five minutes
of searching on a "hacker" site found a downloadable tool for
exploiting it. So about three hours after being asked to look,
we sent them email /from the root account on their mail server/
telling them they had a problem.

Perhaps looking for such things isn't your problem. If so, whose
problem is it? They would be your most helpful resource.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Free copy of ARTS PDF Tools when you register for the PDF
Conference by April 30. Leading-Edge Practices for Enterprise
& Government, June 3-5, Bethesda,MD. www.PDFConference.com

Are you using Doc-to-Help or ForeHelp? Switch to RoboHelp for Word for $249
or to RoboHelp Office for only $499. Get the PC Magazine five-star rated
Help authoring tool for less! Go to http://www.ehelp.com/techwr

---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



References:
Re: Internet Architecture Project - PLEASE HELP: From: Arlen . P . Walker

Previous by Author: Is it April 1st already?
Next by Author: Re: HUMOR: STC Conference Time!
Previous by Thread: Re: Internet Architecture Project - PLEASE HELP
Next by Thread: RE: Internet Architecture Project - PLEASE HELP


What this post helpful? Share it with friends and colleagues:


Sponsored Ads