Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Example: Using Profiler to Mitigate Risks from Laptops

    Suppose your corporate firewall denies RPC file sharing traffic to protect sensitive corporate files from Internet users, but enables RPC file sharing on a local network for convenience.

    Suppose a laptop user has a good reason to use a partner’s wireless network to access the Internet. Because the laptop is configured to allow RPC, it contracts a Blaster worm from an infected user on that network. When the user returns to the office and connects the laptop to the corporate network, the worm immediately begins scanning the internal network and infecting all components that have RPC enabled.

    The Profiler records all unique activity on the network, so it identifies the ICMP packet scans as a new event. If you have configured the Profiler to send alerts for new hosts, you receive an alert that a new host has joined the network. In response to the alert, you check the Profiler viewer for details on the new host, and you learn that a host in your network is scanning the entire network using ICMP, a possible sign of the Blaster worm.

    To investigate:

    1. Restart the Profiler.
    2. In the NSM navigation tree, select Investigate > Security Monitor > Profiler to display the Profiler viewer.
    3. Click the Network Profiler tab and review the source, destination, and service data.
    4. Apply a filter to the Service column values so that only records matching ICMP are displayed.
    5. Apply a second filter to the Access Type column so that only records matching ICMP and probe are displayed.
    6. Apply a third filter to the Last Time column so that only records from the last two hours are displayed.

      The Network Profiler displays all network components that used ICMP to probe the network in the last two hours.

      Assuming the filters have cleared nonmatching records, you can now see the only IP address or IP addresses currently probing your network using ICMP. However, because you use DHCP to dynamically assign IP addresses, you need to identify which user laptop is currently using that IP address.

    7. Right-click the table cell for source properties to display the MAC address. If your enterprise maintains records matching MAC address to laptops, you can track down the specific host that is infected.

    Published: 2011-02-08