Network auditing is a must for any organisation

Network auditing is a must for any organization. Networks are dynamic entities; they grow, shrink, change and divide themselves continuously. Network administrators cannot even assume this process is entirely under their control. Users add devices and sometimes even new hardware to the network infrastructure.

Even worse, it is not the first time a user would install software they need without informing the administrator. These activities can have drastic repercussions on network security. To solve this, an administrator needs to perform regular network auditing and monitor any changes to the preset baseline.

Network auditing is a process in which your network is mapped both in terms of software and hardware. The process can be daunting if done manually, but luckily some tools can help automate a large part of the process. The administrator needs to know what machines and devices are connected to the network. He should also know what operating systems are running and to what service pack/patch level.

Another point on the checklist should be what user accounts and groups are on each machine as well as what shares are available and to whom. A good network audit will also include what hardware makes up each machine, what policies affect that machine and whether it is a physical or a virtual machine. The more detailed the specification the better.

Once the machines running on our network are mapped, the administrator should then move to audit what software is running on each of the machines. This can be done manually, through an application, or simply asking each machine owner to run a script that would automatically catalogue applications and send the administrator an email with a report of the software installed.

After the software inventory is done, the process can then catalogue the services which are installed, which are running and which are stopped. The audit for the machines can be finalized by noting which ports each machine listens on and what software is actually running at the time of the audit.

Once the administrator concludes auditing the computers on the network, s/he can move on to cataloguing the devices. These can include printers, fax machines, routers, access points, network storage and any other device that has connectivity with the network.

Once this is done, the network audit would be complete, but the data will now need to be analyzed. Is any machine running unauthorized software or hardware? Is any machine lacking necessary patches? After these and other relevant questions to each specific network are addressed and machines that weren’t up to standard are brought in line, the administrator now has an effective security/inventory baseline for all machines on the network.

Where should an administrator go from here?

So what can the information gathered through the network audit be used for? Network auditing tools can be set to run an audit automatically on a schedule, for example every Friday. These weekly reports can then be used to monitor changes on the network, based on the baseline the administrator would have created, and report changes when they occur.

The administrator can then enforce proper change management policies on the network. He/she would also be able to detect and take action against unauthorized software/hardware that might potentially jeopardize the network’s security, or even put the company at risk of legal action as the user installing this software might not have the necessary licenses.

A regular security audit can potentially detect theft; some users might decide a fraction of the memory available on their workstation might be put to better use at home, for example. Another common case is when a user might think it wouldn’t be a problem if he/she bought and connected a wireless access point at work to have internet connectivity on his mobile phone. This process can also help the administrator know if users disabled the company antivirus or uninstalled any other security software on his system.

All in all, network auditing is important for any administrator. Networks change dynamically both through the actions of the administrator and without his or her intervention. Regular network auditing is the only way an administrator can keep up with changes to the network under care.

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.