 |
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
Step 3: Scan your network
You need to monitor the network baseline for any deviations by scanning the network on a regular basis. You must be aware of any new systems and/or TCP/UDP services that are added to the network.
|
|
|
The NETFOX actively scans the network for deviations. The NETFOX Network Administrators have the ability to initiate two different types of scans, a Who and a What scan.
The Who scan allows the NETFOX Network Administrator to scan an organization's entire network range, a subnet, or a single IP address. The Who scan identifies all machines that are active on the network. The scan gathers every systems' identifying attributes (e.g. DNS name, netbios name, username, MAC address). The NETFOX compares the scan results to the policy baseline to identify deviations. The NETFOX deems a system to be a potential 'stowaway' if the system responds to an TCP SYN request but does not respond to an ICMP ping. This could be a potential hacker on your network and should be investigated. Stowaway characteristics may be caused by a router or firewall, so the NETFOX allows you to label a machine a LEGAL stowaway if this is the case. This is extremely important for wireless and DHCP networks.
The NETFOX What scan allows the Network Administrator to scan an organization's entire network, a subnet, or a single IP address. The What scan can be tailored to scan all well known TCP/UDP ports (1-1023), registered TCP/UDP ports, a range or TCP/UDP ports, or an array of TCP/UDP ports.
The What scan identifies the active TCP/UDP ports on every active system. The scan results are compared to each systems' machine template to determine if the active TCP/UDP ports are policy baseline compliant. The WHAT scan also captures TCP/UDP port banners so you can determine if SSH or FTP is running on TCP port 80, instead of a web server.
|
|
|
|
|
|
|
