Network Security Threats and Countermeasures-Network Analysis and Monitoring

 Network Security Threats and Countermeasures-Network Analysis and Monitoring

In this session, you will learn:

• Positioning your Machine at Appropriate Location
• Network Traffic Signatures
• Packet Sniffer: Wire-shark
• Additional Packet Sniffing Tools
• Network Monitoring and Analysis
• Bandwidth Monitoring

Network Analysis

▪ Also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping

▪ Process of capturing network traffic 

▪ Determine what is happening on the network

▪ Decodes the data packets 

▪ Displays the network traffic in readable format

Sniffer

▪ Monitors data traveling over a network

▪ Unauthorized sniffers are dangerous 

▪ Difficult to detect 

▪ Inserted almost anywhere

▪ Favorite weapon for hackers

▪ The “Sniffer™” trademark, owned by Network General 

▪ “sniffer” refers to a program that captures and analyzes network traffic.

Network Analyser 

▪ Hardware device with specialized software installed on a desktop or laptop computer. 

The differences between network analyzers depend on features such as:

o Number of supported protocols it can decode

o The user interface

o Its graphing and statistical capabilities 

o Inference capabilities 

o The quality of packet decodes.

A network analyser is composed of five basic parts:

▪ Hardware

o software-based and work with standard operating systems (OSs) and network interface cards (NICs). 

o benefits such as analysing hardware faults 

o support Ethernet or wireless adapters or multiple adapters 

▪ Capture Driver

o capturing raw network traffic from the cable 

o filters out the traffic 

o core of a network analyser

▪ Buffer

o stores the captured data

o data can be stored in a buffer until it is full, or in a rotation 

o Buffers can be disk-based or memory-based.

▪ Real-Time Analysis

o analyses data as it comes off the cable

o find network performance issues

o IDSs use it to look for signs of intruder activity.

▪ Decode

o displays the contents of the network traffic 

o specific to each protocol

o new decodes are constantly being added

Who Uses Network Analysis?

• System administrators, Network engineers, Security engineers, System operators, Programmers 
• Diagnosing and troubleshooting network problems, system configuration issues, and application difficulties
• Development of softwarebased network analyzers
• Convenient and affordable 
• Intruders use network analysis for harmful purposes

Why Use Network Analysis?

Why Use Network Analysis?

How are Intruders Using Sniffers?

▪ Significant threat to the security of a network

▪ Capture confidential information

▪ Non-negative term

▪ Terms sniffing and network analysis interchangeable

▪ Installed as part of the compromise of a computer 

▪ Detecting difficult

Why are Intruders Using Sniffers?

Intruders use sniffers on networks for:

▪ Capturing clear-text usernames and passwords

▪ Discovering the usage patterns of the users on a network

▪ Compromising proprietary information

▪ Capturing and replaying Voice over IP (VoIP) telephone 

conversations

▪ Mapping the layout of a network

▪ Passive OS fingerprinting

How do Intruders Sniff?

▪ An intruder must first gain access to the communication cable 

▪ Same shared network segment or tapping into the cable 

▪ Not physically present at the target system or communications access point (AP), then

o Breaking into a target computer

o Breaking into a communications access point 

o Locating a system at the ISP 

o Using social engineering 

o Inside accomplice

o Redirecting or copying communications

Rootkit

▪ Sniffing programs are included with most rootkits 

▪ Rootkits are used to cover the tracks of an intruder by replacing commands and utilities and clearing log entries. 

▪ Windows sniffing can be accomplished as part of a Remote Admin 

Trojan (RAT) such as SubSeven or Back Orifice. 

▪ One example of a rootkit is “T0rnKit,” which works on Solaris and Linux. 

▪ Intruders may also use sniffer programs to control back

What does Sniffed Data Look Like?

Common Network Analysers

Packet Sniffer: Wireshark

▪ Wireshark is a network analyzer

▪ It reads packets from the network

▪ Decodes them 

▪ Easy-to-understand format

▪ Open source

▪ Actively maintained

▪ Free

▪ Distributed under the Gnu’s Not UNIX (GNU) General Public License (GPL) open-source license.

▪ Promiscuous/ non-promiscuous

▪ Capture data 

▪ Easy-to-read 

▪ Rich display filter 

▪ Supports tcpdump format capture filters 

▪ Supports over 750 protocols

▪ Read capture files from over 25 different products

▪ Save capture files in a variety of formats 

▪ Capture data from a variety of media

▪ Command-line version of the network analyzer called tshark

▪ Supporting programs 

▪ Output can be saved or printed as plaintext or PostScript

History of Wireshark

▪ Gerald Combs developed Ethereal in 1997

▪ First version (v0.2.0) released in July 1998 

▪ Development team- Gilbert Ramirez, Guy Harris, and Richard Sharpe

▪ Patches, enhancements, and additional dissectors

▪ Dissectors allow Wireshark to decode individual protocols

The GNU Project (GNU's Not Unix)

▪ Developed in 1984 

▪ Free UNIX-like OS

▪ Linux, the “OS” referred to as the “GNU/Linux” 

▪ Run and sponsored by the Free Software Foundation (FSF)

▪ Richard Stallman wrote the GNU GPL in 1989

▪ It is copyleft (i.e., Copyleft—all rights reserved)

▪ Free software license 

▪ Based on similar licenses

▪ Copyleft is the application of copyright law 

▪ Copyright holder grants an irrevocable license 

▪ Legal consequences

▪ Cannot change the text of the GPL, can modify the GPL 

▪ Other licenses include the GNU Lesser GPL and the GNU Free Documentation License.

▪ GPL library is considered a derivative work

Compatibility

▪ Wireshark can read and process capture files 

▪ Including other sniffers, routers, and network utilities

▪ Promiscuous Capture Library (libpcap)-based capture format 

▪ Ability to read captures in a variety of other formats

▪ Determine the type of file it is reading 

▪ Uncompress GNU Zip (gzip) files. 

▪ Tcpdump

▪ Sun snoop and atmsnoop

▪ Microsoft NetMon

▪ Network Associates Sniffer and Sniffer Pro

▪ Shomiti/Finisar Surveyor

▪ Novell LANalyzer

▪ Cinco Networks NetXRay

▪ AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek

▪ RADCOM’s wide area network (WAN)/local area network (LAN) analyzer

▪ Visual Networks’ Visual UpTime

▪ Lucent/Ascend router debug output

▪ Toshiba’s Integrated Services Digital Network (ISDN) routers dump output

▪ Cisco Secure intrusion detection systems (IDS) iplog

▪ AIX’s iptrace

▪ HP-UX nettl

▪ ISDN4BSD project’s i4btrace output

▪ Point-To-point Protocol Daemon (PPPD) logs (pppdumpformat

▪ VMS’s TCPIPtrace utility

▪ DBS Etherwatch Virtual Memory System (VMS) utility

▪ CoSine L2 debug

▪ Accellent’s 5Views LAN agent output

▪ Endace Measurement Systems’ Electronic Remote Fill (ERF) capture format

▪ Linux Bluez Bluetooth stack “hcidump –w” traces

▪ Catapult DCT2000

▪ Network Instruments Observer version 9

▪ EyeSDN Universal Serial Bus (USB) S0 traces

Supported Protocols

▪ Network analyzer reads data 

▪ How to interpret 

▪ Display the output in an easy-to-read format

▪ This is protocol decoding

▪ 750 protocols

▪ New protocols added 

▪ Also known as dissectors

Filters

▪ Packets that meet requirements are displayed 

▪ Compare fields within a protocol against a value 

▪ Compare fields 

▪ Check the existence of specified fields or protocols 

▪ Statistical features 

▪ Colorize the packets

▪ Simple filter to search for certain protocol or field

The comparison operators can be expressed using the 

following abbreviations and symbols:

Three operators:

▪ Is Present allows you to test for the existence of a field 

▪ Contains allows you to search the data of a packet for a string or phrase

▪ Matches uses a regular expression (regex) string for more powerful pattern matching.

Network Traffic Shaping

▪ Used to control network traffic flow

o Allow management of existing network bandwidth

o High priority traffic is guaranteed bandwidth

▪ QoS policies examine network traffic details

o Source

o Destination

o Type of Traffic

o Time of Day

o Incoming/ outgoing router interface

▪ Network packets can be 

o Classified

o Prioritized

▪ Packets that don’t meet QoS policies 

o Don’t get dropped

o Are delayed

o Buffered 

o Queued by router

▪ Class-based Shaping

o Control outbound network traffic flow 

o Remote router target network interface

• This target interface speed factors into the policy configuration

▪ Typical traffic shaping examples

o Higher transmission priority for incoming traffic from company servers

o Higher transmission priority for outbound VoIP traffic

Monitoring Network Bandwidth

▪ Understand normal network data flows 

▪ Intrusion detection and prevention systems 

▪ Monitor the network 

▪ Determine how the network is utilized 

▪ Throttle bandwidth

▪ Crucial for network capacity planning 

▪ Potential future needs 

▪ Prevent unnecessary spending

▪ Detecting denial of service attacks (DDoS)

▪ Traffic prioritization 

▪ VoIP vs. HTTP vs. SMTP

▪ Identify chatty hosts

▪ Infected host 

▪ Sending and transmitting more traffic 

Common network bandwidth monitoring tools include: 

▪ Netflow Analyzer

▪ Multi Router Traffic Grapher (MRTG) 

▪ BitMeter OS. 

NetFlow Analyser