Simple network checks that can prevent major security issues
Certain changes in services or devices can often be misheeded; failure to recognize even subtle changes can later result in unpleasant consequences.
Below we list several examples of such incidents; the checks described are rather lightweight and can be run frequently for critical network assets.
The cases below assume that any change in current device’ state should be treated as security issue.
Domain names
Although not directly related to domain names themselves, SSL certificates should always be up-to-date; nowadays, if a service tries to use an invalid or expired certificate, it can be blocked by external services (an example: mail server).
A different kind of check includes comparing WHOIS records for the domain with those on file. This check can be performed by a custom monitor: whatever WHOIS change is, it should be treated as alarm. That includes both contact data and NS servers records.
DNS records
DNS (Domain Name Services) is a decentralized and hierarchical system to match IP addresses and human-readable names. DNS is what defines which devices are responding to which symbolic names: whoever controls the DNS servers response, controls the entire Internet as we know it.
In most situations, DNS record change may mean security risk, unless it is known the change has been applied by an authorized party. Thus, it is important to alert about DNS records change. Create DNS monitors using a variety of DNS servers, on all the DNS records crucial for normal intranet functioning, to be sure there are no attempts to redirect the network communication to third-party IPs.
Open ports
There’s a well-known tool to perform network-related analysis, Nmap. Among other functions, Nmap can scan an IP address for open ports (to determine which ports accept connections and what kind of services may exist on those ports).
Under normal circumstances, the open ports state doesn’t change significantly over time. If a new open port appears and is not properly justified, it should be treated as a security issue. That is especially important for every computer within intranet: open ports change may mean there’s a piece of malware in action, a possible threat to other systems within the same network.
A rather simple script, scanning known devices (with Nmap) from time to time, can be used to set up corresponding custom monitors and detect open ports change. While it still requires certain precautions to avoid spurious false alarms, it can be used as early warning system to detect possible attempts to compromise network.
Important: scanning itself can be viewed as a kind of attack; before setting up port scanning monitors, please make sure the source of scans is properly safelisted on every target device.
Conclusion
Do you need assistance in setting up the mentioned monitors? Feel free to contact us, or post a comment below.