Prevent Hacks with Network Analyzers

By Kevin Beaver

A network analyzer is a tool that allows you to look into a network and prevent hacks by analyzing data going across the wire for network optimization, security, and/or troubleshooting purposes. A network analyzer is handy for sniffing packets on the wire. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network.

The network analyzer performs the following functions:

  • Captures all network traffic

  • Interprets or decodes what is found into a human-readable format

  • Displays the content in chronological order

When assessing security and responding to security incidents, a network analyzer can help you

  • View anomalous network traffic and even track down an intruder.

  • Develop a baseline of network activity and performance, such as protocols in use, usage trends, and MAC addresses, before a security incident occurs.

When your network behaves erratically, a network analyzer can help you

  • Track and isolate malicious network usage

  • Detect malicious Trojan horse applications

  • Monitor and track down DoS attacks

Network analyzer programs

You can use one of the following programs for network analysis:

  • WildPackets’ OmniPeek It does everything you need and more and is very simple to use. OmniPeek is available for Windows operating systems.

  • TamoSoft’s CommView is a low-cost, Windows-based alternative.

  • Cain & Abel is a free multifunctional password recovery tool for performing ARP poisoning, capturing packets, cracking passwords, and more.

  • Wireshark, formerly known as Ethereal, is a free alternative. It’s not as user-friendly as most of the commercial products, but it is very powerful if you’re willing to learn its ins and outs. Wireshark is available for both Windows and OS X.

  • ettercap is another powerful utility for performing network analysis and much more on Windows, Linux, and other operating systems.

Here are a few caveats for using a network analyzer:

  • To capture all traffic, you must connect the analyzer to one of the following:

    • A hub on the network

    • A monitor/span/mirror port on a switch

    • A switch that you’ve performed an ARP poisoning attack on

  • If you want to see traffic similar to what a network-based IPS sees, you should connect the network analyzer to a hub or switch monitor port on the outside of the firewall. This way, your testing enables you to view

    • What’s entering your network before the firewall filters eliminate the junk traffic.

    • What’s leaving your network after the traffic passes through the firewall.

      image0.jpg

It can be an overwhelming amount of information, but you can look for these issues first:

  • Odd traffic, such as:

    • An unusual amount of ICMP packets

    • Excessive amounts of multicast or broadcast traffic

    • Protocols that aren’t permitted by policy or shouldn’t exist given your current network configuration

  • Internet usage habits, which can help point out malicious behavior of a rogue insider or system that has been compromised, such as:

    • Web surfing and social media

    • E-mail

    • Instant messaging and other P2P software

  • Questionable usage, such as:

    • Many lost or oversized packets, indicating hacking tools or malware are present

    • High bandwidth consumption that might point to a web or FTP server that doesn’t belong

  • Reconnaissance probes and system profiling from port scanners and vulnerability assessment tools, such as a significant amount of inbound traffic from unknown hosts — especially over ports that aren’t used very much, such as FTP or telnet.

  • Hacking in progress, such as tons of inbound UDP or ICMP echo requests, SYN floods, or excessive broadcasts.

  • Nonstandard hostnames on your network. For example, if your systems are named Computer1, Computer2, and so on, a computer named GEEKz4evUR should raise a red flag.

  • Hidden servers that might be eating network bandwidth, serving illegal software, or accessing our network hosts.

  • Attacks on specific applications that show such commands as /bin/rm, /bin/ls, echo, and cmd.exe as well as SQL queries and JavaScript injection.

  • If your network analyzer permits it, configure it to use a first-in, first-out buffer.

  • If your network analyzer permits it, record all the traffic into a capture file and save it to the hard drive. This is the ideal scenario — especially if you have a large hard drive, such as 500GB or more.

  • When network traffic doesn’t look right in a network analyzer, it probably isn’t. It’s better to be safe than sorry.

You can check for is the top talkers on the network. If someone is doing something malicious on the network, such as hosting an FTP server or running Internet file-sharing software, using a network analyzer is often the only way you’ll find out about it. A network analyzer is also a good tool for detecting systems infected with malware, such as a virus or Trojan horse.

image1.jpg

Looking at your network statistics, such as bytes per second, network utilization, and inbound/outbound packet counts, is also a good way to determine whether something fishy is going on.

image2.jpg

TamoSoft — the maker of CommView — has another product called NetResident that can track the usage of well-known protocols, such as HTTP, e-mail, FTP, and VoIP. You can use NetResident to monitor web sessions and play them back.

image3.jpg

NetResident also has the capability to perform ARP poisoning, which allows NetResident to see everything on the local network segment.

Network analyzer detection

You can use a network- or host-based utility to determine whether someone is running an unauthorized network analyzer on your network:

Certain IPSs can also detect whether a network analyzer is running on your network. These tools enable you to monitor the network for Ethernet cards that are running in promiscuous mode. You simply load the programs on your computer, and the programs alert you if they see promiscuous behaviors on the network (Sniffdet) or local system (PromiscDetect).