Are you absolutely sure you know all the protocols and ports that are open on your network? If you're not the only person with the rights and permissions necessary to add devices to your network, you'll never know what's really "live and on the wire" -- unless you listen to your network. By periodically scanning your network, you'll be able to maintain a good view of what devices are connected to it and to determine whether those devices are communicating properly and using the allowed ports and protocols.
Start scanning
Depending upon the OS on your administrator's workstation, you could start by using scanning tools such as fping or SuperScan, which allow you to quickly scan a range of IP addresses to detect live network connections. This is one way to determine if someone is adding devices to the network without your knowledge and/or approval.
However, some devices (e.g., wireless devices) will need a different tool for discovery. If you're looking for rogue wireless access points (WAPs), you can use tools such as Kismet or NetStumbler. Finding an unauthorised WAP behind your security perimeter is bad news, but not finding one that's tapped into your network is even worse.
Take action
Ideally, you shouldn't find any surprises in your network scan results. If you do, though, take these steps.
Rogue WAPs
Immediately block the IP address of the WAP device at the switch where it's connected. This should provide you with enough time to find the physical device while the user is trying to discover what happened to his or her wireless network connection.
Non-wireless devices
If you find unknown non-wireless devices -- such as printers, departmental FTP/Web servers, etc. -- conduct an in-depth scan and determine exactly what the device's function is. Block the device from the network until you can physically locate it and disconnect it.
For a more thorough examination of the rogue device, you can use Ettercap or Winfingerprint. Both utilities do an excellent job of decoding the type of OS that's running on a remote device, which should help you discover the device's original purpose. These utilities also show what services are running and what ports are listening for connections.
Final thoughts
As administrators, it's our job to ensure that only authorised and secured devices operate on the network. Besides the obvious security reasons, there are performance gains to turning off unnecessary network protocols. Turning off unnecessary protocols helps reduce network chatter and increases bandwidth utilisation.
I've mentioned a lot of network tools in this article, all of which are free. If you use these tools to listen to your network and map every IP address, you might be surprised by what you find.
