Many organizations must meet the requirements of HIPAA, Sarbanes-Oxley, and other regulations. Every organization needs to protect themselves against intruders and rogue nodes.

Continuous Scan was designed to help organizations meet security requirements by providing continuously updated network documentation, logging nodes on and off the network, and maintaining an up-to-date network diagram.

The Continuous Scan option is an intrusion detection system that uses one or more LANsurveyor maps as the base line network environment. Once you have identified the systems on the baseline map as acceptable, turn on Continuous Scan.

When Continuous Scan is active, LANsurveyor scans the network and looks for any new nodes. Since they weren't already on the map, the new nodes may not belong on the network. Therefore, they are listed on the Threat List.

In a managed switch environment, you can directly disable network access for rogue nodes directly from the Threat List or automatically disable all rogue nodes.

Step 1 of 6: Open and Verify Your Map(s)

Launch LANsurveyor and open the maps with the network segments you want to scan.

Many organizations implement security systems without first ensuring all the systems connected to the network should be connected, locking the wolves in with the sheep.

Step 2 of 6: Continuous Scan Window

Select Continuous Scan from the Window menu to open the Continuous Scan window.

Step 3 of 6: Scanning Options

Click on the Options button on the Continuous Scan window or select Continuous Scan>Options from the Monitor menu to set the Continuous Scan options.

Scan every n minutes sets the amount of time between scanning the specified or open maps. If the interval is less than the time it takes to scan the maps, LANsurveyor will scan immediately after the previous scan.

You can also discover rogue nodes that mask their IP addresses and show up only when their network activity can be detected through their Ethernet address. Select Expose rogue Ethernet addresses to discover masked nodes and report on those nodes if they change the switch or the switch port they connect through. You can also attempt to authenticate rogue Ethernet addresses using the methods you select in the Ethernet Address Responses tab.

Step 4 of 6: Responses Options

Click on the Responses tab to establish authentication criteria, alert settings, and whether or not to automatically disable new nodes. When a new node is encountered, LANsurveyor authenticates the node through either the Responder password or SNMP Community String.

Continuous Scan is also integrated with a variety of third party vulnerability assessment solutions, including Symantec's NetRecon, Qualys' QualysGuard, and Microsoft's Baseline Security Analyzer (MBSA).

You can receive different alerts when LANsurveyor encounters either an authenticated or unauthenticated node.

Click OK when you are through setting your options.

Note: Port enable/disable requires a "managed" or SNMP-enabled switch with the correct read/write community string. To set alerts, follow the instructions in the Monitor Your Network Applications tutorial.

Step 5 of 6: Begin Scanning

Click on Start to begin scanning your network for intruders and other new nodes.

When a new node is detected on the network, LANsurveyor adds the node to the Threat List window.

The Threat List includes information about when the node was detected and the node name, IP address, Ethernet address, the hub or switch the node is connected to, and the port number used for the connection if connected to an SNMP-enabled device. If you detect a rogue node, you can disable network access for the node by clicking on the node in the Threat List and clicking the Disable button. If you determine a disabled node should be enabled, click on the Enable button.

Remove a node from the Threat List by selecting it and pressing the delete key.

Note: If you want to run LANsurveyor as a service (File>Run As A Service....) or only want certain maps monitored for intrusions, specify the map files in Tools>Options>AutoOpen. The maps you specify are automatically opened when LANsurveyor is launched and only those maps (and their associated network segments) are scanned.

Step 6 of 6: Logging

Not only are newly discovered nodes listed on the Threat List, but also Continuous Scan logs nodes on and off the network during scans, providing information vital for network forensics. This information can also be logged automatically to a syslog server. Refer to the LANsurveyor User's Guide for more information.

To access the Session Log, select Session Log from the Window menu. The log lists the most recent information at the top and the oldest at the bottom of the log window.