Program detects dangers that run silent, run deep
IPsonar can find vulnerabilities you didn't know existed
- By John Breeden II
- Dec 08, 2005
When it comes to security, the problem with large enterprise networks is that most network defenses are static, but connectivity is dynamic. Over time, even the most secure networks develop vulnerabilities'and there is little network administrators can do to prevent it. IPsonar version 3.6.3 from Lumeta Corp. can help get a handle on both known and unknown network configurations and the vulnerabilities within them.
The known network comprises systems you know are attached to your network and should be configured in a certain way. The unknown network is made up of clients and devices that you did not even know existed. With large networks, the unknown parts can easily outnumber the known.
IPsonar is designed to be the first step in an overall security plan. It scans a network using various protocols to see what devices can connect to the outside world and to each other. The software can run on a 1U appliance or from a standard notebook. We tested the notebook version.
We hooked up IPsonar to the dirtiest, craziest, most hodgepodge network we could find'the GCN Lab test bed. With hundreds of software and hardware products coming and going throughout a year of testing, the lab network can start to look pretty chaotic to a data packet trying to navigate its way through. Interestingly enough, though, the same network will look different depending on the packets that are used to analyze it. IPsonar takes a 'packet's eye view'; some packets can't find their way out of certain devices while others can. At the end of a scan, the software generates a graphic that shows what types of packets can connect throughout a network, which provides important information, and could be a little surprising if you happen to believe your network is properly locked down.Rapid network scans
Scanning the GCN Lab network took only about 15 minutes, with about 200 active devices scanned. But the program can handle virtually any size network. Because IPsonar does not actually try to access each device (it merely maps the connectivity options among them), the scans are surprisingly quick considering the detailed info they generate.
The program performs three main functions. First is network discovery. In the network discovery phase, the program will identify the route-based connectivity between devices and also identify how aggressively subnet masking is implemented. It will zero in on any forwarding devices and filtering devices, such as network firewalls.
Beyond just finding the firewalls, IPsonar examines them to determine their impact on the network; you can see if the firewall is configured properly based on what you think it should be doing. Given that firewalls are one of the most difficult devices to configure correctly, it is good that IPsonar pays particular attention to them and other filtering devices. It also looks at router access control lists in the same manner.
The second task IPsonar performs is host discovery. In this phase, the program finds what devices are on a network. It does this by conducting a census of all the IP addresses.
Because IPsonar uses multiprotocol discovery, it can dig into a network and find devices hidden from the main network by protocol restrictions. If there is a way to reach the device using an alternate protocol, IPsonar can find them.
The third part of the program, the leak discovery phase, is probably the most useful for federal administrators charged with keeping data secure. In this phase, IPsonar will scan all discovered hosts to see if they have the ability to accept inbound or send outbound packets beyond the network to the Internet or other network devices. In this manner you might discover a communications chain through which a device on a secure network can chat with a device on a nonsecure network. This does not necessarily mean a breach has occurred, just that it is possible. You can set the number of hops you want the program to check for leaks.
Leaks can be discovered using a leak sensor. Lumeta maintains several leak sensors in New Jersey that you can use for testing, but feds worried about security can use their own internal sensors if they wish.
Here's how it works: The software spoofs a packet that supposedly comes from a leak sensor. If a device responds back to the sensor'and it will if it can since the packet was spoofed'then you know you have an open communications chain on a certain protocol. IPsonar is smart enough to know that if a device can't respond to a leak sensor but can send traffic to another device that can, then a possible security hole exists and the connection will be mapped.
The leak discovery phase will also find rogue or unmanaged devices such as wireless access points. If a wireless AP is properly managed, then it won't be identified as a rogue client. But if you simply plug in an AP out of the box, IPsonar will find it.
In our test scan, IPsonar found a wireless AP with all its factory default settings. More disturbingly, it found an unknown rogue router too. Examining the results for the routers, we were able to see how it was affecting the test bed's topology. We saw that the router was filtering packets, not letting certain ones pass while allowing others. Knowing we were looking for a router-type device that could filter, we were able to find a firewall that everyone thought had been disconnected months ago. Once we turned off the firewall, we pinged the IP address that IPsonar provided and confirmed it was gone.Weekly check-ups
With weekly scanning, you can make sure you plug holes as quickly as they form. Scanning a network is unobtrusive, and you can set the speed of the scan if you're worried about bandwidth.
Scans can occur at speeds from one packet per second up to 1,200 packets per second. This is important because unlike virus scanning, which can run during off-hours, you really want to run IPsonar during peak network times when there is a better chance that rogue devices will be active.
You can also tell the system to avoid scanning certain areas on your network by restricting the scan from looking at certain CIDR (Classless Inter-Domain Routing) blocks. This will keep the program from your executives' systems and off of highly classified networks, if necessary.
You can view reports remotely through a Web browser. The Web reports give fairly canned data, but are nonetheless helpful in fixing problems. For a more detailed look, you can use MapViewer, a program that comes with IPsonar that gives incredibly granular details about each device and packet type within the network environment.
Combining IPsonar with a secondary program such as a patch management system would go a long way to securing a network's static defenses in a dynamic world.
John Breeden II is a freelance technology writer for GCN.