The SANS Institute lists the top 20 critical security controls at http://www.sans.org/critical-security-controls/. In this post I will concern myself with their number 1 item: inventory of authorized and unauthorized devices. According to SANS, controlling the inventory of authorized and unauthorized devices on a network seeks to “actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” This article outlines several ways of implementing such control which I will briefly recount.
The need to audit one’s network is becoming more real every day. With the increasing number of people who use their personal computing devices for work comes an increasing risk of attackers gaining entry into the company network. It is no longer enough to protect from the outside-in; we need an inside-out approach, too.
The SANS Institute covers several control measures, both active an passive in nature. As for active tools, the use of network scanning, fingerprinting, and inventory software is recommended to establish and help maintain a network inventory. Network level authentication via the 802.1x protocol is also a good idea, and can be implemented using the inventory software I just described to determine which systems are authorized to access the network and what they are authorized to do. The inventory software should relay information about each device, such as what is is, where it is located, what it is for, and who is in charge of it.
Passive measures can be taken, as well. One example would be to ensure that all device acquisitions are automatically added to the inventory software. Another example includes passive network monitoring software such as a log scanning tool that gleans information from the various routers, switches, and servers on the network.
A combination of active and passive is a great approach. For example, one could design some software that uses the information gathered from the various logs to pinpoint questionable behavior and revoke access, alter access, or move the disruptive device to a different location on the network where damage can be mitigated. Yet another good technique involves the use of certificates to grant device access, although that isn’t quite as easy as it may sound.