The Ins and Outs of Network Analyzers (Part 1)
Network analyzers represent significant threat to any network and detecting them presents a challenge. The risk lies when the analyzer is abused by an attacker allowing the attacker to gather sensitive information that passes through the network. The focus is on how network analyzers function and their typical characteristics and potential abusive modes.
The time has come and you really want to get to know your network. You know what it looks like on paper as you have drawn up the network diagrams. You know all the hardware that you have connected to the network. You are starting to wonder what this network looks like on the inside. The network "surgeon" also known as analyzer maybe the solution. This tool will give you x-ray vision into your network. Network analyzers make it incredibly challenging for an intruder to hide from a well trained eye. When monitoring your network for potential network security attacks it is vital that you use a protocol or network analyzer. These products are designed to dissect the protocols that are running on your network. These applications can be found in two formats either in hardware or in software form.
Network analyzers also called sniffers function as a tool to troubleshoot network problems, building up historical and statistical charts for viewing data in real-time. Some network analyzers have the ability of alerting you to potential developing problems or bottlenecks that are occurring real-time. Some network analyzers have the potential of capturing packet streams and they allow you to view these packet streams and edit them. This can present a potential security risk as some potential intruders or network users can use sniffers to inspect captured packets offline at an alternate location. The risks in this arena are colossal, as the intruder can read packets that are sent as pure text that have not been encrypted. Email, word documents, HTTP documents and any text containing files.
The hardware network analyzer.
Both protocol analyzers function in very much the same way with the major difference being that the hardware version is dedicated to the analyzing function and has multiple interface ports for various router and LAN media interfaces. The physical hardware analyzers also have the capabilities of splitting a cable and act as an in between device that inspects every single packet that leaves or enters the network. The hardware version also has features such as real-time printout, logging and multiple capture buffers that record onto the analyzers hard drive directly. Hardware analyzers are also adaptable to multiple topologies. Token ring, fiber, wireless and most other type of topologies found.
Figure 1a: The diagram above represents a typical Hardware snifffer and one of its many placement regions within the corporate network.
The software network analyzer.
Software network analyzers are typically similar to the software that is installed on the hardware version of the network analyzer but the interfaces that you have are only RJ45 Ethernet interfaces or RJ11 modem interfaces. It typically depends on the NIC that you are using and the interface that is supported by the software. Software based analyzers have the benefit of being lower cost compared to hardware analyzers because there is no hardware outlay and the software installs directly onto your typical desktop.
Figure 1b: The diagram above represents a typical software based sniffer scenario. I have added a red laptop with an orange screen to symbolize the software sniffer. The software type sniffer is considered the greatest security risk in an analysis attack type environment, an attacker can install the sniffing software onto any computer that has a promiscuous mode enabled NIC. A laptop will be the perfect getaway as it is very mobile and versatile making it extremely easy to hide and leave at the premises undetected.
The key to making sniffing less insightful.
Encrypt, encrypt, encrypt. If any information is sent over a network that can be sniffed then you should encrypt that data. This has always been good practice and should be employed when ever you store, transmit or share data that is potentially sensitive.
Passwords are often sent over a network unencrypted, be it your LAN, WAN or your dialup link to the local ISP. When you initiate an authentication process you are initiating a credential transfer and depending on the level of security that is employed by the application that you may use, the encryption level is agreed upon by both the server and the client. Typically the lowest encryption level that is supported by either party is used. Unless you specify on the server side that a particular level of encryption is necessary when transmitting passwords. Clear text is some times used and when using a network analyzer in packet capture mode you can sometimes see the passwords in clear text scrolling past. Choosing alpha numeric passwords and changing them often is not a strong enough practice, when network sniffers are involved as these applications quickly capture and display your credentials, this is if your authentication methods across the network are left unencrypted. There are some sniffers on the market that are dedicated to capturing network passwords only. Recommendation: try these sniffers on your local test lab LAN and see how many passwords are available to you when performing your day to day work. You will be amazed to see how many times your password is sent over the network.
If an intruder does get hold of your password, he can use it to relay chain letters off the mail server that may be protected by standard authentication. The mail relay authentication works by knowing that a valid user that is logged into the domain may send messages. Your password can also be used to forge email. Sending email as someone important is something that intruders like doing and many spam operations work on this principle alone. The intruder may also want to use your password to attack another user's machine once he has logged in with a valid username and sniffed password. This method is popular and is used because the intruder needs to gain access to the network or to an authorized account that can log onto the domain. The reason that smart cards have an advantage over normal non encrypted passwords is mainly because it verifies that you are really the one logging in and ensures that you clear text password will not be sniffed.
Intruder network analyzing can also be driven by greed. The more accounts the intruder sniffs the better chance he has of remaining undetected as he can jump form account to account.
If you have one login point and don't have to type in your password again after that, then you are most likely using a newer more secure authentication system that is more challenging to sniff. It is still recommended to run a network analyzer in capture mode and view what information is being sent.
Turn the x-ray off.
Kerberos enables secure authentication, no broadcast of your password will take place when using Kerberos enabled network services. In this way no exposure is afforded to sniffers. Using SSH (Secure Shell) also hides your password by using a form of secure encryption. This method is widely used on the internet and some administrators use it to administer firewalls across the world. There are applications and network analyzers that are sold on the internet that can actually trace and detect sniffers or machines that are running in promiscuous mode. If you are concerned about people sniffing your data it is recommended that you install one of these applications to counter the attack.
You can purchase NICs that cannot be put in promiscuous mode, this prevents computers from being hijacked and turned into sniffers. It is recommended that you use these NICs on machines that may be on the perimeter network or on more exposed machines. Good network infrastructure switches also have the capability of having their ports turn into "unsniff mode" port spanning. Port spanning enables all network traffic to be replicated to the port where the network analyzer resides. Remember to enable port spanning as this will ensure that you will be able to sniff all of the packets that are transacted on your network.
To give you some examples, here is a list of some of the data that should be encrypted.
- Sensitive HTTP traffic
- SQL queries
- ERP queries
- Replication requests
- POP mail
MSIE (Microsoft Internet Explorer)
Microsoft Internet Explorer makes full use of security protocols that are used by secure websites, if you visit a secure Web site, the websites certificate will be sent to you, and a lock icon will be displayed on the browsers status bar. The certificate is a declaration, verification and identity of a person or the security of a Web site. If you are about to send information (such as your credit card number) to an insecure site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself. Always check that the lock icon is displayed in the status bar before sending sensitive information either over the LAN, WAN or internet. This will ensure that encryption is used to keep the data secure while being transmitted.
Logging forensic evidence.
Some network analyzers can be set with templates that compare policies to the logged data and if particular events occur that match these filters you are alerted. This evidence can be captured and used as supporting reasons to take disciplinary or legal action against an intruder or potential attacker attempting a security breach. If you are running in environments that are extremely sensitive it is recommended that any network traffic that transacts is logged. This approach will render invaluable.
Insight through sniffing.
Sniffing does more than just permit you to capture packets and protocol statistics to view at a later stage, it gives you a window that looks deep into the security networking realm allowing you to see the matrix mesh for what it is. Packet analyzing lets you establish baselines and patterns that help you visualize your network, making the most complex networks seem simple. Most good protocol analyzers have filtering and post capturing features that help you in determining and identifying what machines are infected with worms like Nmidia or Code red. Network viruses typically have patterns that are characteristically unique for that specific type of virus. Good Network analyzers seamlessly decode these and inform you that you potentially may be infected by these viruses. A well trained security professional will also be able to pick this up when viewing the logs or analyzing the traffic patterns. It is particularly important to look at the way that machines interact with each other and what ports they may be talking on. Viruses sometimes have specific ports that they leverage off in order to replicate themselves through out the network.
Network analyzers can be used to evaluate and rectify network conditions that may occur. Ensure that your network analyzer supports logical node name mapping. This feature ensures that all of your MAC addresses are mapped to IP addresses then resolved to machine names. This small feature makes resolving security issues quite a lot easier as you can determine machines that should or should not be on your network.
Before promiscuous mode will work you must ensure that promiscuous mode is supported by each network adapter and by the input/output driver of the machines OS that you want to monitor. Some NICs have the option of disabling the promiscuous mode; ensure that the mode is enabled when monitoring that machine.
Promiscuous mode enables the NICs reception capabilities. This mode allows the adapter to receive all packets or frames on the network even if the frames and packets are not addressed to the adapter. When you install the network analyzer on your network the NIC of that machine will be setup for promiscuous mode this will tune the NIC into every computers "frequency" intercepting and reading all transmitted packets and frames.
Some companies have machines dedicated to the packet capture function. In organizations like banks and military concerns where forensic evidence may be critical, every packet frame and transmitted data may be logged. This information is then stored on the network storage devices and will be treated as a receipt of all data transactions that have taken place on the network. The space ramifications of this type of logging are great. Provisions must be made to accommodate the cataloguing of this data as the packet capture can clock up gigabytes of logs within hours. Filters can be applied to these logs that remove system generated traffic and some network analyzers have built in intelligence that have the capability of distinguishing traffic that can be discarded. Most good network analyzers let you specify what you would like to log. You can then later pull the necessary reports from the logs and see if any attempts have been made on your networks integrity. This is the principal that Some IDS applications use and the major difference is that IDS is real time and the network analyzer is not set or designed for the type of alerting that IDS does. If you are using a "Y" cable on a WAN interface the packets are transmitted to the network analyzer first and then to the router, NTU or leased line modem device. In this way the network analyzer intercepts all traffic that is sent over the WAN connection.
IT is advisable to use a hardware solution if you need to be 100% sure that all packets will be captured as some switches and routers may not forward the packets to the whole network. If spanning tree is enabled there should not be a problem sniffing.
In this article I have focused on the workings of a sniffer and how and where you should plan the placing of such a device or software on a corporate network. Sniffers are important tools that need to be handled with care and in the following article I highlight the significance of what avenue should be perused when choosing the right sniffer for your network.