6.6. Politics and Security

You should have a legitimate reason and the authority to use the tools described here. Some of these tools directly probe other computers on the network. Even legitimate uses of these tools can create surprises for users and may, in some instances, result in considerable ill will and mistrust. For example, doing security probes to discover weaknesses in your network may be a perfectly reasonable thing to do, provided that is your responsibility. But you don't want these scans to come as a surprise to your users. I, for one, strongly resent unexpected probing of my computer regardless of the reason. Often, a well-meaning individual has scanned a network only to find himself with a lot of explaining to do. The list of people who have made this mistake includes several big names in the security community.

With the rise of personal firewalls and monitoring tools, more and more users are monitoring what is happening on their local networks and at their computers. Not all of these users really understand the results returned by these tools, so you should be prepared to deal with misunderstandings. Reactions can be extreme, even from people who should know enough to put things in context.

The first time I used CiscoWorks for Windows, the program scanned the network with, among others, CMIP packets. This, of course, is a perfectly natural thing to do. Unfortunately, another machine on the network had been configured in a manner that, when it saw the packet, it began blocking all subsequent packets from the management station. It then began logging all subsequent traffic from the management station as attacks. This included the System Messaged Blocks (SMB) that are a normal part of the network background noise created by computers running Microsoft Windows. A couple of days later I received a very concerned email regarding a 10-page log of attacks originating from the management station. To make matters worse, the clock on the "attacked" computer was off a couple of hours. The times recorded for the alleged attacks didn't fall in the block of time I had run CiscoWorks. It did include, however, blocks of times I knew the management station was offline. Before it was all sorted out, my overactive imagination had turned it into a malicious attack with a goal of casting blame on the management station when it was nothing more than a misunderstanding.[29]

[29]This problem could have been lessened if both had been running NTP. NTP is discussed in Chapter 11, "Miscellaneous Tools".

It is best to deal with such potential problems in advance by clearly stating what you will be doing and why. If you can't justify it, then perhaps you should reconsider exactly why you are doing it. A number of sites automatically block networks or hosts they receive scans from. And within some organizations, unauthorized scanning may be grounds for dismissal. You should consider developing a formal policy clearly stating when and by whom scanning may and may not be done.

This leads to an important point: you really should have a thorough understanding of how scanning tools work before you use them. For example, some SNMP tools have you enter a list of the various SNMP passwords (community strings) you use on your network. In the automatic discovery mode, it will probe for SNMP devices by trying each of these passwords in turn on each machine on the network. This is intended to save the network manager from having to enter this information for each individual device. However, it is a simple matter for scanned machines to capture these passwords. Tools like dsniff are designed specifically for that purpose. I strongly recommend watching the behavior of whatever scanning tools you use with a tool like tcpdump or ethereal to see what it is actually doing.

Unfortunately, some of the developers of these tools can't seem to decide whether they are writing for responsible users or crackers. As previously noted, some tools include questionable features, such as support stealth scans or forged IP addresses. In general, I have described only those features for which I can see a legitimate use. However, sometimes there is no clear dividing line. For example, forged IP addresses can be useful in testing firewalls. When I have described such features, I assume that you will be able to distinguish between appropriate and inappropriate uses.

---