Network Analysis: An Overview
The term "network analysis" is used to mean many different tasks and processes, depending on the context and the role of the person using the term. In true computer science terms, network analysis involves the analysis of network to describe the structure of the network using graph theory, the optimization of those networks through the user of Critical Path Analysis, and the examination of traffic flow in the network.
More generally, the term network analysis is used in the examination framework, where software is used to analyze the structure and content of a network, as well as the traffic that is propagated on that network. Network analysis in this sense is usually performed by dedicated tools such as packet sniffers.
A more specific application of network analysis relates to security issues, both from a preventative and a corrective action viewpoint. With preventative network analysis, the network is examined for potential security issues. Corrective network analysis is employed after a security issue has been created and the method of security breach has to be determined.
While network analysis is a nebulous term, we can examine it more specifically in terms of network security here. It is important to keep in mind the fact that network analysis is a scientific discipline in the sense that rigorous procedures can be followed to build a map of the network and its contents, but there is also an art aspect to network analysis developed primarily through experience, wherein potential security issues are often identified more quickly through a high-level examination of the network instead of a detailed scientific study.
Analysis Tools
There is a wide range of network analysis tools available for use, some relatively new and some that have been in existence for decades. It's worth taking a quick look at the various tools and their purposes here, then examining a few of the more useful in more detail later.
Among the most useful network analysis tools are:
 |
· Packet Sniffers: a packet sniffers watches all traffic on a port and can log packet contents (especially for things like passwords and credit card numbers that may not be encrypted) | |
· TCP Wrappers: TCP wrappers add an extra level of protection and diagnostics to network packets by adding more levels of encapsulation | |
· Nessus: designed for UNIX systems as a vulnerability assessment tool, Nesses has thousands of plugins that detect known issues. Constant updates make this tool always current to the latest threats and potential threats. | |
· Wireshark: Wireshark was known as Ethereal until mid-2006. Wireshark is one of the best open source network protocol analyzers available, allowing you to examine data from a live network or from a capture file. | |
· Snort: a lightweight network intrusion detection and prevention system. Snort uses protocol analysis and content searching, along with several preprocessors, to detects worms, exploit attempts, and port scans. | |
· Netcat: reads and writes data across TCP or UDP network connections to allow network routing and bottleneck diagnostics. | |
· Kismet: a wireless network detector, sniffer, and intrusion detection system. Kismet can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets. | |
· SATAN (Security Administrator's Tool for Analyzing Networks): a port scanning tool with a Web interface. SATAN is an older software package and many of its capabilities have been replicated in newer software, but SATAN remains a classic tool. A newer release called SAINT builds on SATAN. | |
· IIS (Internet Security Scanner): also a port-based scanner, it is much faster than SATAN or SAINT |
Today, with the demands of high-speed access to the Internet, road-warrior connections to a network, as well as data peripherals such as PDAs and Blackberry devices have added yet more layers of complexity. The rise of e-commerce requires redundancy is firewalls, network connections, and server farms, all with fail-over capabilities to preserve connectivity with minimum downtime. With this evolution of networks, the demands on network administrators and security groups has changed, too, requiring a continual reassessment of preventative and reactive measures.
Of all known network security issues, a majority have been based on packet sniffing, so it's worth looking at this subject in more detail below. Also, because it is a common network security issue, we'll look at Denial of Service (DoS) attacks as well.
Sniffing
Once networks have been set up properly, it is difficult for someone outside that network to discover the contents of the network and hence exploit resources of that network. However, the sad truth is that most networks are not set up properly, and it is very easy for an outsider to gain access to a network and network resources (including hard drives and their contents!). One of the easiest ways to do an analysis of a network, either from inside it for system administration purposes or from outside for snooping purposes, is the packet sniffer.
A packet sniffer (also called a network monitor or network analyzer) is intended to monitor and allow troubleshooting of network traffic by watching traffic flow and checking for illegal packets. Originally intended to allow for optimization of networks, so that bottlenecks of information did not slow transfer of data between machines, packet sniffers were easily modified for less honest work. Although system administrators used packet sniffers on specific machines to watch traffic through that machine, more talented packet sniffers could be installed on gateways and routers and monitor an entire network, not to mention any traffic passing out of the network to the Internet or a remote LAN.
The simplest packet sniffer simple captures all the data that passes through the sniffer's location and analyses the contents and the headers. By analyzing the headers, the packet sniffer can build up a picture of the network architecture, including the number of machines on the network, their IP address, where they are in the network design, and the types of traffic they each generate. By analyzing the content of the packets, packet sniffers can see all the data passing between these machines. (Although some packets will be encrypted, depending on the protocols in use, the vast majority of packets are unencrypted.) Packet sniffers are very good at picking up usernames and passwords, for example, which are almost always sent without protection.
Packet sniffers can watch traffic, and more malicious versions of the software can even modify or forge packets, making transactions appear legal or changing data in a datagram. However, packets sniffers tend to be restricted to a given network (or, usually, just a subnet) and hence must be placed on a device in that subnet somehow. This is often done inadvertently by having a user run a Trojan or virus program, a very common occurrence. This eliminates the need for someone to gain access to a network device directly, and the packet sniffer itself can then forward information to a machine outside the subnet.
Packet sniffers are very hard to detect because most are passive, simply watching data flow and building up information that is maintained within the sniffer. If the packet sniffer does alter or forge data, its existence can usually be detected through checksums and audit systems, although most networks do not deploy these security practices all the time.
The easiest way to detect packet sniffers is by detecting all software programs that run in promiscuous mode, meaning it accepts and looks at all packets regardless of intended destination. Most computer devices only accept traffic for a particular IP address, and hence are specific in the data they accept. A promiscuous device accepts all traffic, and forwards on most or all of it. However, promiscuous devices are detectable on a network, and a scan for such devices often leads to the detection of a packet sniffer.
To detect devices that operate in promiscuous mode, there are two common methods. The first is to examine the latency of the network before and after the suspect device, because a promiscuous mode device will examine every packet that passes through it, which increase that device's CPU load and slows transit of packets through the device. If a noticeable slow-down of traffic through the device is detected, there's a high probability it is in promiscuous mode. The second indicator relies on the fact that responses from application on the promiscuous mode device may be generated even if packets are not addressed to that machine, since most application layer programs do not check IP addresses. Therefore, an increase in response packets from applications tends to indicate promiscuous mode, too.
Promiscuous mode devices are used by many malware applications in order to perform ARP (Address Resolution Protocol) spoofing. In order to perform ARP spoofing, the device has to be maintained in promiscuous mode. Checking for MAC address cloning is a common way to detect ARP spoofing applications; this is easily accomplished using RARP (Reverse ARP), which will return more than one IP address for each MAC address if ARP spoofing is active. By detecting promiscuous mode machines, you can cut ARP spoofing attacks considerably.
of Service
DoS (Denial-of-Service) attacks are common on Web servers, and have been for many years. DoS attacks are insidious because they are very easy to launch (especially since "hacker toolkits" now allow even nonprogrammers to create DoS attacks) and they are very difficult (and in some cases impossible) to track to their source. Without locking down a server completely, prohibiting valid service requests, thwarting DoS attacks is a balance between watching incoming packets for intention and volume with managing a server's intended purpose.
The idea of a DoS attack is very simple: send more service requests to a server than it can handle, essentially locking out the machine from legitimate use or causing it to crash. A DoS attack program simply makes a connection to a server's service port, and then dropping the connection. By sending huge amounts of such requests, the server can reach a point where it cannot service the requests and essentially becomes useless. A Distributed Denial of Service (DDoS) attack uses many source machines to bombard a target at once. In fact, a DDoS attack can bring not just a single server but entire networks, or even entire country access to the Internet, down if enough traffic is sent. While most people think DoS attacks are aimed exclusively at Web servers, in fact DoS attacks are most harmful when they are sent to backbone devices such as DNS servers, routers and gateways, and similar packet handling devices.
Detecting a DoS attack is usually easy enough by monitoring server performance. Typically, a server can report service request numbers, and when these peak to levels where performance is impacted dramatically, a DoS attack should be suspected.
There are essentially five basic DoS attack models each of which uses a slightly different approach to bring networks or servers down:
|
· overwhelm a device with requests for bandwidth, memory, CPU timeslices, and other physical demands (such as disk reads or writes) that exceed the device's capabilities to service | |
· disrupting existing activities on the device, such as resetting ports or TCP sessions | |
· modify configuration details such as DNS routing tables | |
· alter the physical network behavior by causing resets or floods or network devices | |
· overwhelm access to the device with a flood or requests or data |
Typically, network packet filtering is ineffective in halting DoS attacks as the filter will be overwhelmed in any DoS attack. A stateful packet filter that is resilient can be used to drop obviously malformed or illegitimate packets, and can help survive short-term and low-intensity DoS attacks, but even these filters get overwhelmed in a concerted attack especially when bandwidth becomes a limiting factor.
The best way to reduce the effectiveness of DoS attacks is to use a firewall which can perform packet analysis and discard invalid packets. However in many cases a firewall cannot distinguish valid and invalid packets, allowing attacks to pass through the firewall. Also, firewalls tend to be placed after routers and gateways, and an attack on those network devices will effectively stop the network traffic before the firewall is involved.
To survive a DoS attack, it is best to plan in advance for such an occurrence. Plans can include such steps are reserving an alternate block of IP addresses for critical devices, allowing them to be switched when an attack is detected and maintain service. Separate routing systems to key servers or network devices also provides the ability to reroute legitimate traffic.
Monitoring: SPAN and TAP
A common security issue is ensuring that packets passing on a network are not examined for content. Packet analysis can be performed by software such as packet sniffers, already examined, but getting copies of the packets often requires another piece of software that resides on a network switch (where it has access to many more packets than a computing device would, as well as less chance of detection; network switches also tend to be operational all the time, eliminating lost packets).
On a switch, there are two common attack methods used to obtain packets: SPAN (Switched Port Analyzer) and TAP (Test Access Point). Both SPAN and TAP create passive access to packet traffic, and hence are useful for malware.
SPAN is an intrusion detection system that can be used to discover port mirroring applications. A port mirror is software on a device such as a gateway, switch, or firewall that sends a copy of all network packets received at that device to another device (with switches, a copy of all traffic from one port is mirrored to another port, hence the name port mirroring). SPAN is typically associated with Cisco switches, since they are common targets of port mirroring software, but in theory any switch or network device can be a target.
TAPs create an access port between two network devices such as switches or routers, and can be used by monitoring software (or hardware, for diagnostic purposes) to collect packet data for analysis. Packet sniffers, protocol analyzers, and many network security applications function through the use of TAPs.
SPANs and TAPs can be used for the same purposes, but there are differences. A TAP receives copies of the network traffic but is not in-line with the network. With a TAP, there is no effect on the network latency or bandwidth. A SPAN-connected device does not necessarily see all network traffic, such as those that are dropped at the receiving port for some reason (lower layer errors, such as malformed or packets of illegal sizes are good examples). Since a SPAN device does not get all traffic, it is not as useful for network analysis (and malware) as TAP. From a network analysis point of view, a SPAN also does not allow bad packets to be detected, preventing proper diagnostics of the network.
Issues
A common approach to handling network security issues, as well as failures, is to build in redundancy. Most network disaster recovery plans and business continuity plans, such as those required by security standards such as ISO27001 and ITIL, hinge on redundancy. However, simply duplicating components of a network infrastructure to allow failovers is not sufficient from the security aspect because an attack on one type of device could be repeated on a failed-over device of the same type. For example, common DoS attacks on Cisco switches will perform exactly the same on a failed-over Cisco switch when the main device fails.
For this reason, many networks are now employing a heterogeneous mix of devices, allowing redundancy of service without redundancy of vendors. For example, a high-availability e-commerce system may be based on Windows machines running IIS in a server farm setup, but a vulnerability of those operating systems or web server means any replacement machines could be susceptible, so providing a Linux and Apache fail-over farm allows for better security. In the case of devices such as Internet gateways, the primary device may be from one vendor, but the fail-over device should be from another to eliminate attacks on those vendors specifically. Similarly, many networks employ Internet connections from more than one ISP to prevent loss of service through one vendor.
There are issues with this approach, of course, from a network management viewpoint. The most important issue is that having a heterogeneous network instead of one composed of devices from a few vendors increases the management tasks for updates and configuration. Also, interoperability is sometimes an issue. However, the increased reliability of such mixed-vendor failover network configurations usually balances the increased administrative issues.
Network analysis is a mandatory part of most network administrator's tasks, made more complex by the number of security issues that are involved. The fact that network intrusion systems use the same techniques and tools as a genuine network analyzer makes finding intrusions and malware more difficult. However, by proper analysis of a network, a good picture of the health and traffic patterns of the network can be built, and reanalysis at intervals allows changes to be highlighted.
Using network analysis tools such as the ones mentioned here help you not only build up a picture of your network and its behavior, but also detect unwelcome applications examining your network traffic or using network resources for nefarious purposes. Detecting and removing those applications is a necessary part of every network administrator's tasks, and network scans need to be performed on a frequent and regular basis.
Copyright © 1995- Tim Parker Consultant Incorporated. All Rights Reserved.