4.1. Monitoring the Network

The basics of network monitoring were introduced earlier (in Chapter 2). This chapter picks up that topic and examines more of the specifics and details of network monitoring.

Your network is vulnerable to all sorts of attacks and penetration efforts. Network-monitoring techniques help you track what is happening in your network. Monitoring can occur in real time (for example, when using a network sniffer) or by following events using log files and security systems (a task made simpler by using an intrusion detection system [IDS]).

More than likely, the building you occupy has a perimeter security system. This system might not keep a determined burglar from breaking in, but it will keep out most people. Most office buildings also have video cameras, motion detectors, and other devices to detect intruders and notify authorities about a break-in. In addition, your building probably has fire and smoke detectors, water sensors, and any number of other safety and security devices installed. All of this equipment, working together, provides a reasonably safe work environment. Your computers and network need the same sorts of things.

Network monitoring helps ensure a safe environment. You can help secure your computer's environment by installing tools to automatically monitor it and report unusual events that occur. You can monitor your network by reviewing system logs on a regular basis or by installing complex software that performs these activities for you and then reports anything unusual. This process is much like the fire-suppression system in your building. When a fire is detected, elevators return to the basement, sprinklers automatically activate, and the local fire department is notified. When a computer security breach occurs, the network needs to isolate the affected systems, notify the administrator(s), and even attempt (if necessary) to shut down the systems.

Monitoring your network on a regular basis is important to determine what types of events are occurring. Without this information, you're shooting in the dark. As a security professional, you should primarily deal with what is happening in your network as it occurs. You also want to establish preventive measures to reduce the fear of the unknown.

The following sections introduce you to the types of network traffic you'll encounter on most networks. These include a wide variety of protocols, such as TCP/IP, IPX, and NetBEUI. Each one operates with its own rules and methods. In general, these protocols don't interact with each other, and they're oblivious to the existence of the other protocols.

4.1.1. Recognizing the Different Types of Network Traffic

The following sections briefly explain the protocols and services that are common in networks. The most common protocol used in wide area networks (WANs) today is TCP/IP, which is why it is discussed first. Some networks also run protocols unique to Novell, Microsoft, Network File Systems, and AppleTalk, and these protocols are discussed as well. The following sections introduce you to these protocols and identify potential threats to your networks.

4.1.1.1. TCP/IP

As you might recall, the TCP/IP suite supports a wide variety of protocols used to transport information inside and outside the local area network (LAN). The protocols that are most susceptible to attacks are IP, TCP, UDP, ICMP, and IGMP, which were briefly mentioned in Chapter 2, "Identifying Potential Risks." The important thing to remember is that each of these protocols may be vulnerable because of the unsecure nature of TCP/IP or a weakness in the software manufacturer's implementation of the protocol.

It's important to know which TCP and UDP ports are open in order to understand what services your server is allowing.

4.1.1.2. Novell Protocols

Novell, Inc., has long been a significant player in the network environment. Its NetWare product line was once the server network operating system (NOS) used throughout the majority of all office buildings. Novell is a longtime rival of Microsoft, and the company has a large and loyal following.

NetWare, a server-based networking environment/operating system, offers network protocols, services, and applications. NetWare is susceptible to DoS attacks, as are most TCP/IP-based environments. In addition to TCP/IP, NetWare supports two other proprietary protocols:

IPX/SPX

Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) are two of the proprietary protocols unique to Novell 4.x and earlier NetWare networks. IPX and SPX are still in use, but they're not as widespread as they once were. These protocols are fast, efficient, and well documented. They're also susceptible to communications interception using internal monitoring.

Microsoft desktop operating systems often include the ability to communicate using IPX/SPX so that the workstations can exist on NetWare-based networks. Because IPX/SPX is proprietary to Novell, Microsoft created NWLink, an IPX-/SPX-compatible protocol that it owns.

NDS and eDirectory

Novell introduced a directory management service called NetWare Directory Services (NDS) to manage all the resources in a network. The acronym NDS was later changed to Novell Directory Services. NDS provides a database of all network objects or resources. Figure 4.1 shows an NDS tree. The key point to remember here is that NDS is a network-based service. Notice that the NDS tree treats print devices, disk volumes, users, and groups as leaf objects, or resources, in the tree. Earlier versions of NetWare used bindery services; the bindery kept track of resources on a server-by-server basis.

Figure 4.1. A typical NDS tree structure

NOTE

Chapter 5, "Implementing and Maintaining a Secure Network," examines NDS and eDirectory.

In the most recent versions of NetWare, NDS has been expanded and renamed eDirectory. Novell changed the environment so that it now operates using TCP/IP as the native network protocol.

Novell also provides a number of applications, tools, and products that compare favorably to other network-based products. Two of the more popular Novell products are GroupWise, an e-mail and collaboration system similar to Microsoft Exchange, and a software and configuration distribution product known as ZENworks.

4.1.1.3. Microsoft Protocols

Microsoft and IBM were early leaders in PC network technologies. Early PC systems supported a rudimentary peer-to-peer networking environment that was fast and required little overhead. Of course, networks in those days were simple, and high levels of functionality weren't expected. The two original network protocols available for PCs were NetBIOS and NetBEUI.

The following sections include brief discussions of each of these protocols, plus Windows Internet Naming Service (WINS). Although WINS isn't technically a protocol, it's an integral part of the traffic on a Microsoft network.

4.1.1.3.1. NetBIOS

Network Basic Input Output System (NetBIOS) is the native protocol of Windows PCs. NetBIOS provides a 15-character naming convention for resources on the network. It's a broadcast-oriented network protocol in that all traffic is available to all devices in a LAN. The protocol can be transported over NetBEUI, TCP/IP, or IPX/SPX.

The biggest vulnerability with NetBIOS is that it opens ports for file and print sharing. These ports (which can include 135 through 139 and 445) can be accessed across the Internet as well as by devices on the local LAN.

4.1.1.3.2. NetBEUI

The NetBIOS Extended User Interface (NetBEUI) is used to transport NetBIOS traffic in a LAN. NetBEUI and NetBIOS were originally packaged as a single product, beginning with the release of Windows for Workgroups. As network technologies advanced, NetBIOS was turned into a separate protocol. Figure 4.2 shows a network running only NetBEUI.

Figure 4.2. NetBEUI network using a VPN over a TCP/IP network

NetBEUI is a nonroutable protocol, meaning that it can't be sent across routers. NetBEUI traffic is easy to intercept internally using a network sniffer.

4.1.1.3.3. WINS Service

The Windows Internet Naming Service (WINS) translates NetBIOS names to TCP/IP addresses. WINS runs as a service on a server. It provides name translation for networks, similar in nature to DNS. If WINS isn't available, a Windows system can use a local file, LMHOSTS, to resolve NetBIOS names to TCP/IP addresses. In Figure 4.3, a WINS server provides a NetBIOS name to TCP/IP addresses in a LAN. This resolution process has been coupled by DNS with Windows Server products.

Figure 4.3. WINS Server resolving TCP/IP addresses to names

Because WINS is providing a service to clients who request information from it, it's susceptible to DoS attacks. When left unpatched, it is also available for remote code execution.

4.1.1.4. Network File System Protocol

Network File System (NFS) is the default file-sharing protocol for Unix systems. NFS allows a remote user to mount drives on a machine in the network. To be secure, NFS requires special configuration and is, in many ways, more of a Linux+ topic than Security+. NFS is equivalent to Distributed File System (DFS), which tends to exist outside of the Unix world. Figure 4.4 shows a remote system mounting a drive on a local machine using NFS.

Figure 4.4. An NFS device being mounted by a remote Unix system

4.1.1.5. The Apple Protocol

Apple Computers has been a network player for many years. The Apple networking protocol, AppleTalk, is a routable protocol (although it has a lot of routing overhead), and it has been a standard on Apples and Apple printers for many years. Most manufacturers of network products support the AppleTalk protocol, which isn't intended for secure applications. Modern Macintosh systems can also use TCP/IP for connections.

Most of AppleTalk's vulnerabilities don't center around the protocol itself, but instead are exploitations of programs that offer this service. For example, there are known vulnerabilities with programs that allow Linux to offer AppleTalk, but those weaknesses are with the programs themselves and not with AppleTalk per se.

4.1.2. Monitoring Network Systems

Several monitoring mechanisms are available to track traffic. Monitoring can occur on individual systems, on servers, or as a separate component of the network. The connection used when monitoring occurs on a network is called a tap. Figure 4.5 illustrates some of the places where a network tap can occur. Each location presents a different view of the network. For an effective security process, multiple taps are probably needed.

Figure 4.5. Tap locations used to monitor network traffic

Your system faces both internal and external threats. If all your monitoring activities are oriented toward external threats, discovering internal security breaches as they occur may be difficult. You must always strive to achieve a good balance between the two and be willing to increase measures in one direction or another as needed. For example, should you learn that the company is about to downsize 25 percent of the workforce, then it would be prudent to increase security measures targeted at minimizing internal breaches. Following a rash of intrusions at companies in the same business as yours, increasing external security measures should be the top priority.

Always remember that common sense is the most important tool you have in answering exam questions as well as facing real-world scenarios.

In a busy network, identifying the types of activities that are occurring is difficult because of the sheer volume of traffic. Heavy traffic makes it necessary to dedicate personnel to monitoring. Network activity is also reported in system logs and audit files. Although it's a good practice to periodically review these files, doing so can be a daunting and extremely boring undertaking. Automated tools, which make this process more manageable, are coming to the market.