Perpetual Network Auditing
An organization's network is constantly changing. New application servers are added, switch configurations are updated, and traffic flows change as the organization changes. The security team is constantly challenged to understand the interactions of the network at every level.
One of the best ways to understand this "living" network is constant examination. One common strategy is to blanket the network with a perpetual scan in an effort of constant vigilance. Although this strategy isn't all-encompassing, it certainly fits into the concept of defense in depth or layered security. The security team never knows when the information gathered in the past will be valuable in the present.
Perpetual Network Auditing Details
- Nmap Ping Type: The default nmap ping of an ICMP ping combined with a TCP ACK on port 80 is usually sufficient when the scan occurs on the local network. If the scan must traverse a firewall or packet filter, the ping should be modified accordingly.
- Nmap Scan Type: For passive scanning, the TCP SYN scan (-sS) is appropriate. The SYN scan never initiates an application session, and the interaction between the nmap station and the remote device is only at the TCP transport layer. This scan type has a very low possibility of disrupting remote devices, especially when the network interactivity is administratively reduced through nmap's built-in timing policies.
- IP Addresses: Since the range of IP addresses will be randomized (see below), it may be most effective to enter a large portion of the network's IP address ranges into the input file. If the scan is focused on a particular location or IP subnet, the IP address input file can be customized to fit this smaller group of stations.
- Operating System Fingerprinting: The goal of this perpetual scan is to obtain as much information as possible with relatively little network interaction. The operating system fingerprinting option (-O) only sends fourteen additional frames, but the information received from the scan is extremely valuable. Although some additional accuracy could be garnered by including the --osscan_limit option, the goal of this perpetual information gathering process is to obtain the largest quantity of information possible. If this information is required at a later date, the accuracy of the information can be determined at that time.
- Timing Policy: This perpetual scan doesn't need to complete in any particular timeframe. This scan should remain as invisible as possible and the availability of the devices on the network should be the primary concern. Setting a timing policy to "polite" (-T2) should allow the scan to run at a reasonable pace while maintaining a low amount of interactivity.
- Reverse DNS: The assigned IP addresses in dynamic environments may change every day. If the DNS is integrated into the dynamic IP addressing environment, nmap should always perform a reverse name resolution (-R).
- Randomize Hosts: Since this scan is constantly watching the network, it may be more interesting to have the scan randomly roam from one device to another. The --randomize_hosts option will shuffle the list of hosts so that the network interaction is never focused on one particular subnet.
One option that isn't included in the perpetual scan strategy is the version detection option. Unlike the operating system fingerprinting function, version detection is a more invasive method of querying a remote device. Version detection opens application sessions on the remote device, and the version detection information gathering process can consist of many frames for each open port. In an effort to keep this scan passive, simple, and relatively fast, the version scan option has not been included.
The nmap command line for the perpetual scan would look something like this (disregard the line break):
# nmap -vv –sS –iL input.lst --excludefile banned.lst -O –T2 –R --randomize_hosts -oA perpetualThe output files will provide an easy-to-search grepable format, and a corresponding XML format for formal reporting purposes.