Network protection in the enterprise environment is typically achieved by implementation of tightly controlled access points which filter and restrict all the traffic moving in and out of protected network segments. This approach is very effective because it allows for centrally managed control points which are capable of enforcing security controls on entire network it is designed to protect.
But this setup only works if systems in the protected zone cannot bypass control points and are not allowed to connect to outside through alternative means. Bypassing can be achieved on purpose by users trying to circumvent restrictive security measures or due to mistakes in configuration of gateways, servers and other systems.
In this blog I would like to discuss an approach how these bypass connections can be monitored automatically without a requirement to examine configurations of individual systems.
On the sketch below you can see typical enterprise network environment where internal protected network is connected to untrusted network (typically Internet) via dedicated firewall.
Some of the systems (4) & (5) may have alternate connections to Internet via dial-up or broadband modems or via dual connected hosts with network interfaces on trusted and untrusted networks. Obviously these connections can present significant security problems because they typically are not secured properly and may allow back door connection to the network.
In order to automatically detect these "rogue" connections we will need to do the following:
- Obtain a list of all internal networks/IP addresses which will need to be scanned. These are addresses are typically private network addresses not routable on the internet (10.x.x.x, 192.168.x.x)
- Configure one system connected to your internal network to act as a scanner which will send specially crafted icmp packets to all internal adresses in sequential manner.
- ICMP packets used for scanning will have spoofed source IP address of monitoring system (8) as shown on the diagram.
- Place real internal IP address of the system being scanned into ICMP packet payload so it can be extracted at the monitor system for reporting purposes
- Configure monitor system (8) to log all ICMP packets it receives.
- Put a rule into firewall (2) to block all outgoing ICMP packets going to monitoring system (8)
As you can see, any system on protected network which has bypass connection to the Internet will reply to ping packet and will send it to monitoring system bypassing main firewall. Any packet received by monitoring system will contain source IP address of bypass connection and private IP address of the system who responded to ping written into payload.
After one scan of all internal network IP addresses, we will see each system with bypass connection recorded at monitoring station.
Necessary custom ICMP packets can be generated by any tool capable of manipulating of raw IP packets like Perl NET::RawIP library. For monitoring of packets and reporting simple sniffer of Snort IDS solution can be used.