How to: Locating possible Rogue devices on the Network.

Version 1

    This is a quick “How To” mini-series on tackling common issues that IT Administrators deal with on a daily basis. This will include a single scenario, and how to use Solarwinds software to address these issues in a few minutes.

    Scenario:

     

    One reoccurring issue that is always on the minds of the majority of Federal Customers is “How do I find rogue devices in my Network?” This used to be a manual process. Based on my personal experience, I was handed a report from my Network Security Officer during an exercise in Germany with a list of 20 unauthorized systems with the System Name and IP Address. This turned into a treasure hunt for finding a single system. I was lucky that day and found the device on the list that was pingable and we drove out to our remote location to pick up the system to hand to our Security Officer. When news hit the entire Brigade within an hour after the Rouge system was confiscated, and for the rest of the month, all Rouge Systems disappeared from the Network.

    Not all IT Technicians are lucky enough to find a system easily. With the User Device Tracker Module, it will simplify and automates the process of finding the system.

     

    What information will I need before I begin?

    You will need to have one of the following:

    MAC Address (Preferred)

    IP Address

    Hostname

     

     

    Finding the Rouge System:

    To find a Rogue system on your Network using UDT, make sure that you have the Hostname, MAC Address, or IP Address. MAC Address is always the best way to search for a system since it is harder to change than an IP or a Hostname. At the Top right, enter in the information, select the ˅ and make sure that the appropriate search type is selected, and then press the Search Icon.

     

    (Image 1)

     

    If UDT finds a single result, it will automatically take you to the Endpoint Details page for the Device.

    (Image 2)

    How to be automatically notified when the system enters the Network. (Part 1)

    What if User Device Tracker is unable to find the Device?

     

    This is where the Device Watch List Resource will be your favorite feature. The Device Watch List will monitor for the device and Alert you when it finds the Device, and you can receive an E-mail once it is found.  On the UDT Summary Page, find the Device Watch List resource and select Manage List.

    (Image 3)

     

    In the Manage Watch List Screen, select Add Device.  You will notice when adding the device, it will search for either the MAC Address (Preferred), IP Address, or Hostname. Since I have the MAC, I will enter it in and enter a Name and description of the device in question.

    (Image 4)

     

    How to be automatically notified when the system enters the Network. (Part 2)

     

    How do I make this an Alert?

    Now that the Device in in our Watch List, you will need to go into the Advanced Alert Manager and make sure that the Default Alert “Alert me when watch list item becomes active” is Enabled and enter Trigger Actions to send to Email.

    This is what I put into my Email to notify me of the Security Incident. Your E-mail will vary, but this is a good jump off point to include useful information.

    *************  Automated Security Incident  ************

    Possible Rogue Device has been identified and located via UDT.

    **Device Details**

    Watch Name: ${WatchName}

    Is the Device found on the Network? ${Present}

    Time Device found: ${AlertTriggerTime}

    Device Notes: ${Note}

    **Important URLs**

    Device URL: ${WatchListDetailsURL}

    Acknowledge Alert URL: ${AcknowledgeURL}

    *************  Automated Security Incident  ************

     

    Now when the device is on the Network, I will be E-mailed the location of the device. This is what I now see when the device entered the Network:

    (Image 5)

     

    When I click on the Device URL, it will automatically take me into the Device Tracker Endpoint Details Page (see Image 2). To Acknowledge the Alert, select the Acknowledge URL link and you can notify to the other users that you have been notified and are picking up the system now.

     

    This document was generated from the following discussion: How to: Locating possible Rogue devices on the Network.