The objective of securing your network can be broken down into two fundamental questions: 1) What devices are on...
your network? 2) How secure is each device?
Chances are, devices reside on your network that you don't know about or have forgotten. Unknown devices are problematic, and necessitate regular network device discovery efforts, preferably using an automated tool. If nothing else, network device discovery can serve as a great verification or foundation for comprehensive system documentation.
A good place to start is by considering just the primary information you'll need for discovery and assessment: the list of IP addresses your network uses.
Your IP address ranges, internal and external, define your battlefield. The more you know about your address space, including where IP addresses are physically located or assigned, what address ranges are for remote access and which IPs belong to important servers, the better you'll be able to assess, prioritize and respond to security issues. Hopefully your networking person can give you most of that information easily, particularly if that person is you. If the answer you get (if you can get one) is incomplete, you can use a few simple tricks to verify or create that list, and possibly expand it.
The settings on your DHCP servers will give you the address ranges they dynamically assign -- that's a great start. The remaining problems are statically assigned addresses and any rogue DHCP servers or other network-extending devices, such as wireless access points.
Routing tables on your routers and switches are another great reference to identify all in-use addresses. You could also run a network scanner, such as Nmap, and have it scan every possible IP address and discover what responds. Be careful about running any scanning product, including Nmap, on your network -- it may be in violation of policy and can cause outages in legacy products.
Another method is to extract IP addresses from various application and system logs that are in your network. Antivirus products are frequently deployed across many endpoints and are often centrally managed; the resulting log data can be used to enumerate the IP addresses in use. Active Directory logs are another great source of IP address data. VPN address ranges, available via examination of configuration settings or via review of connection logs, are another important part of your network. VPN connections are a frequent entryway for malicious software or malware to enter your network.
A last-ditch method for defining your network is to find your current IP address, since that's obviously in use, and solicit the same information from co-workers across the company. It's hardly an ideal method, but it's a viable start if nothing else is available.
Your external address space can be found through the person responsible for your external network connections, or from your ISP. Online lookups, such as CentralOps.net, can also be used to discover your network addresses from an outsider's perspective.
With your IP address space known, you can begin the continual cycle of discovering the inhabitants of your network and assessing them. Knowing your IP range might not seem like much, but it's an important foundation as you build environmental information. You can now start adding layers of contextual information such as the names and roles of critical servers, and why those servers are deemed critical. Ultimately, the more you know about your network the better prepared you will be to respond to operational and security events.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send comments on this technical tip to firstname.lastname@example.org.