#13.

Monitoring and Diagnosing Networks

AGENDA
 Understanding Infrastructure Security
 Introduction
 Network monitoring is an area as old as data
communications. It is the process of using a
data-capture device or other method to intercept
information from a network. Network monitors
come in two forms: sniffers and intrusion
detection systems (IDSs). These tools allow you
to examine the activity on your network or, in the
case of an IDS, add intelligence to the process,
monitor system logs, monitor suspicious
activities, and take corrective action when
needed.
 Monitors
 Network monitors, otherwise called sniffers,
were originally introduced to help troubleshoot
network problems. Simple network configuration
programs like IPCONFIG don’t get down on the
wire and tell you what is physically happening
on a network. Examining the signaling and
traffic that occurs on a network requires a
network monitor.
 Monitors
 Early monitors were bulky and required a great
deal of expertise to use. Like most things in the
computer age, they have gotten simpler,
smaller, and less expensive. Network monitors
are now available for most environments, and
they’re effective and easy to use.
 Monitors
 Today, a network-monitoring system usually
consists of a PC with a NIC (running in
promiscuous mode) and monitoring software.
The monitoring software is menu driven, is easy
to use, and has a big help file. The traffic
displayed by sniffers can become overly
involved and require additional technical
materials; you can buy these materials at most
bookstores, or you can find them on the Internet
for free. With a few hours of work, most people
can make network monitors work efficiently and
use the data they present.
 Intrusion Detection
Systems
 An intrusion detection system (IDS) is software
that runs on either individual workstations or
network devices to monitor and track network
activity. By using an IDS, a network
administrator can configure the system to
respond just like a burglar alarm. IDSs can be
configured to evaluate systems logs, look at
suspicious network activity, and disconnect
sessions that appear to violate security
settings.
 Intrusion Detection
Systems
 Many vendors have oversold the simplicity of
these tools. They’re quite involved and require
a great deal of planning and maintenance to
work effectively. Many manufacturers are selling
IDSs with firewalls, and this area shows great
promise. Firewalls by themselves will prevent
many common attacks, but they don’t usually
have the intelligence or the reporting capabilities
to monitor the entire network. An IDS, in
conjunction with a firewall, allows both a
reactive posture with the firewall and a
preventive posture with the IDS.
 Securing Workstations and
Servers
 Workstations are particularly vulnerable in a
network. Most modern workstations, regardless
of their operating systems, communicate using
services such as file sharing, network services,
and applications programs. Many of these
programs have the ability to connect to other
workstations or servers.
 Securing Workstations and
Servers
 These connections are potentially vulnerable to
interception and exploitation. The process of
making a workstation or a server more secure is
called platform hardening. The process of
hardening the operating system is referred to as
OS hardening. (OS hardening is part of platform
hardening, but it deals only with the operating
system.) Platform hardening procedures can be
categorized into three basic areas: NÛ
Securing Workstations and
Servers
 Remove unused software, services, and processes
from the workstations (for example, remove the server
service from a workstation). These services and
processes may create opportunities for exploitation.
 Ensure that all services and applications are up-to-
date (including available service and security packs)
and configured in the most secure manner allowed.
This may include assigning passwords, limiting
access, and restricting capabilities.
Securing Workstations and
Servers
 Minimize information dissemination about the
operating system, services, and capabilities of the
system. Many attacks can be targeted at specific
platforms once the platform has been identified. Many
operating systems use default account names for
administrative access. If at all possible, these should
be changed. During a new installation of Windows
Vista or Windows XP, the first user created is
automatically added to the administrators group.
Windows Vista then goes one step further and
automatically disables the actual administrator
account once another account belonging to the
administrators group has been created.
 Understanding Mobile
Devices
 Mobile devices, including pagers and personal
digital assistants (PDAs), are popular. Many of
these devices use either RF signaling or cellular
technologies for communication. If the device
uses the Wireless Application Protocol (WAP),
the device in all likelihood doesn’t have security
enabled.
Understanding Remote Access
 One of the primary purposes for having a
network is the ability to connect systems. As
networks have grown, many technologies have
come on the scene to make this process easier
and more secure. A key area of concern relates
to the connection of systems and other networks
that aren’t part of your network. The following
sections discuss the more common protocols
used to facilitate connectivity among remote
systems.
Understanding Remote Access
 Using Point-to-Point Protocol Introduced in
1994, Point-to-Point Protocol (PPP) offers
support for multiple protocols including
AppleTalk, IPX, and DECnet. PPP works with
POTS, Integrated Services Digital Network
(ISDN), and other faster connections such as
T1. PPP doesn’t provide data security, but it
does provide authentication using Challenge
Handshake Authentication Protocol (CHAP).
Understanding Remote Access
Next slide shows a PPP connection over an
ISDN line. In the case of ISDN, PPP would
normally use one 64Kbps B channel for
transmission. PPP allows many channels in a
network connection (such as ISDN) to be
connected or bonded together to form a single
virtual connection.
Understanding Remote Access
PPP works by encapsulating the network traffic
in a protocol called Network Control Protocol
(NCP). Authentication is handled by Link Control
Protocol (LCP). A PPP connection allows
remote users to log on to the network and have
access as though they were local users on the
network. PPP doesn’t provide for any encryption
services for the channel.
Understanding Remote Access
As you might have guessed, the unsecure
nature of PPP makes it largely unsuitable for
WAN connections. To counter this issue, other
protocols have been created that take
advantage of PPP’s flexibility and build on it. A
dial-up connection using PPP works well
because it isn’t common for an attacker to tap a
phone line. You should make sure all your PPP
connections use secure channels, dedicated
connections, or dial-up connections.
Understanding Remote Access
Remote users who connect directly to a system
using dial-up connections don’t necessarily
need to have encryption capabilities enabled. If
the connection is direct, the likelihood that
anyone would be able to tap an existing phone
line is relatively small. However, you should
make sure that connections through a network
use an encryption-oriented tunneling system.
Understanding Remote Access
 Working with Tunneling Protocols
Tunneling protocols add a capability to the
network: the ability to create tunnels between
networks that can be more secure, support
additional protocols, and provide virtual paths
between systems. The best way to think of
tunneling is to imagine sensitive data being
encapsulated in other packets that are sent
across the public network. Once they’re
received at the other end, the sensitive data is
stripped from the other packets and recompiled
into its original form.
Understanding Remote Access
 Working with Tunneling Protocols
Tunneling protocols add a capability to the
network: the ability to create tunnels between
networks that can be more secure, support
additional protocols, and provide virtual paths
between systems. The best way to think of
tunneling is to imagine sensitive data being
encapsulated in other packets that are sent
across the public network. Once they’re
received at the other end, the sensitive data is
stripped from the other packets and recompiled
into its original form.