Network monitoring

[Dan Farrell]

On Sun, 27 Jul 2008 19:49:49 -0400
Bart Silverstrim <bsilver at chrononomicon.com> wrote:

> Does anyone here have a program, preference, configuration, 
> recommendation...etc...for monitoring your own network for what
> machines are connected to it, as in auditing for people that may
> have connected with unauthorized hardware somewhere or at least log
> when machines are on the wifi or wired network when that network is
> too small to have a managed switch or managed WAP?
> 

It depends on the hardware that provides your wifi Access Point and your
internet router.  It's pretty unlikely on a small network that somebody
could plug a network cable in to your network without your noticing
it, but wireless network connections are of course much less
transparent.  

For these I would recommend looking into the options your AP gives
you.  If your wireless AP allows you some access, it will probably show
you the list of wireless devices connected to it.  If not, an
option might be to look at DHCP leases on your DHCP server, but this
may not be a perfect solution, because uninvited visitors could use a
static configuration instead.  

The fail-safe solution would be to use
an internet gateway with good reporting (like a linux compuer!) that
can show you the traffic going through your internet connection, where
it's from, and where it's headed.  You can then see if there's any
traffic you don't expect, and start to track down it's source.  

I would highly recommend using WPA on your wireless AP so you don't
have to worry about unauthorized access.  

Unfortunately, if your AP doesn't tell you these things, and you can't
get the information from another piece of hardware between the AP and
the internet connection, and you aren't on the same collision domain as
the AP (eg a hub rather than a switch) your only option is probably to
change your network topology to interpose a better statistics generator
between potential untrusted network segments and the internet.