The Ins and Outs of Network Analyzers

Remy_3D

(Part 1)

Network analyzers represent significant threat to any network and detecting them presents a challenge. The risk lies when the analyzer is abused by an attacker allowing the attacker to gather sensitive information that passes through the network.  The focus is on how network analyzers function and their typical characteristics and potential abusive modes.

The time has come and you really want to get to know your network.  You know what it looks like on paper as you have drawn up the network diagrams.  You know all the hardware that you have connected to the network.  You are starting to wonder what this network looks like on the inside.  The network 搒urgeon

Remy_3D

Logging forensic evidence.

Some network analyzers can be set with templates that compare policies to the logged data and if particular events occur that match these filters you are alerted.  This evidence can be captured and used as supporting reasons to take disciplinary or legal action against an intruder or potential attacker attempting a security breach.  If you are running in environments that are extremely sensitive it is recommended that any network traffic that transacts is logged.  This approach will render invaluable.

Insight through sniffing.

Sniffing does more than just permit you to capture packets and protocol statistics to view at a later stage, it gives you a window that looks deep into the security networking realm allowing you to see the matrix mesh for what it is.  Packet analyzing lets you establish baselines and patterns that help you visualize your network, making the most complex networks seem simple.  Most good protocol analyzers have filtering and post capturing features that help you in determining and identifying what machines are infected with worms like Nmidia or Code red.  Network viruses typically have patterns that are characteristically unique for that specific type of virus.  Good Network analyzers seamlessly decode these and inform you that you potentially may be infected by these viruses.  A well trained security professional will also be able to pick this up when viewing the logs or analyzing the traffic patterns.  It is particularly important to look at the way that machines interact with each other and what ports they may be talking on.  Viruses sometimes have specific ports that they leverage off in order to replicate themselves through out the network.

Network analyzers can be used to evaluate and rectify network conditions that may occur.  Ensure that your network analyzer supports logical node name mapping.  This feature ensures that all of your MAC addresses are mapped to IP addresses then resolved to machine names.  This small feature makes resolving security issues quite a lot easier as you can determine machines that should or should not be on your network.

NIC modes

Before promiscuous mode will work you must ensure that promiscuous mode is supported by each network adapter and by the input/output driver of the machines OS that you want to monitor.  Some NICs have the option of disabling the promiscuous mode; ensure that the mode is enabled when monitoring that machine.

Promiscuous mode enables the NICs reception capabilities. This mode allows the adapter to receive all packets or frames on the network even if the frames and packets are not addressed to the adapter.  When you install the network analyzer on your network the NIC of that machine will be setup for promiscuous mode this will tune the NIC into every computers 揻requency

Remy_3D

(Part 2)

A tool of the trade.

If you are responsible for network security, Network topology, network troubleshooting or network communications a network analyzer is the Swiss army knife that will help you fix, view or layout the network.  A network analyzer is a tool of the trade and if used as intended it can prove to be a most valuable tool that you possess in your tool box.  Intruders always look for ways to misuse tools and like any other tool a network analyzer in the wrong hands can have catastrophic consequences.  The latest trend is detection of IDS and network analyzing devices.  Once the intruder knows that these devices exists the attack the device, disabling them and then continuing the attack on the network.  A sniffer probes the network with an active set of tools that simulates traffic, measures response times and troubleshoots problems. In this article I will focus on what you should look at when selecting your network sniffer.

What to look for in the sniffer as a tool.

The sniffer or protocol Analyzer is a powerful versatile network visibility tool. Most good sniffers boast a number of integrated functions that enhance your x-ray abilities.

1. Ensure that the sniffer has the capability to Capture network traffic for comprehensive analysis at a later stage this feature will help you to analyze the network problem, when there is too much happening on your network at any given time.  It allows you to take a snapshot of a designated period of time.  The advantages of this feature are that you will be able to scroll through large amounts of data at your own pace and be able to use it as forensic evidence.

2. Look for the ability to monitor network activity in real time. This feature will also help you in making quick statistical analysis of the running collected data that the sniffer application may have composed since you enabled that feature.  Monitoring in real time is also important as sometimes you pick up things that you would not have seen in the more comprehensive 揅apture mode