Using Network Troubleshooting Tools to Help with Network Security

Solving Real-World Security Problems with Sniffer Portable and Sniffer Distributed
EXECUTIVE WHITEPAPER Created by: Vic Lomet Dave Klein Dan Wasson Jim Magdych John Pither Daniel Ku Nipank Mehta Rick Pither Gretchen Hellman

Edited by:

Table of Contents
Page Overview.2 Breakdown of a Network Intrusion..3
Preventive Measures You Can Take Top Network Attacks and the Best Tools to Help You Detect and/or Combat Them Before the Attack During the Attack After the Attack

The Value of Sniffer and Expert Analysis..7

Sniffer Distributed How Sniffer Distributed differs from Intrusion Detection Systems Wireless Sniffer and Wireless Security

Examples of How to Utilize Sniffer Technology During an Attack10 Filters

Nimda, Code Red, etc.

Security Triggers/Alarms
Excessive Logins to Mission Critical Servers Access to Mission Critical Servers Denial of Service (DoS)

How to Use Sniffer for Post Analysis...15 Summary15 Appendix A & B

Article on White House: Prepare for Super Hackers A Bill to amend the IRS Code of 1986 to allow businesses to expense qualified security devices, Securing America Investment Act of 2001

Overview
With 30 percent of the global economy driven by e-business, attacks on networks are becoming more frequent, more varied, and more costly. The need for increased protection of your information assets in storage, in transit, and during access has driven companies to look to vendors to provide products that ensure that their privacy is protected. This threat is so important that President Bush created a position and appointed Richard Clarke to Special Advisor for Cyber Security in October 2001, who reports directly to the Director of Homeland Security and to the National Security Advisor (see Appendix A). Additionally, a Bill has just been introduced that is trying to amend the IRS code of 1986 that would allow businesses to expense qualified security devices (see appendix B). Many IT organizations, especially in tough economic times, are trying to get more out of what they already have and are asking vendors for more security functionality of existing products that are already installed in their networks. Whether you are an individual, a corporation, a healthcare or academic institution, a bricks-andmotor enterprise, an e-business site, or a governmental agency, Sniffer Technologies can help you protect your privacy as well as continue to help you maintain high performance networks and to eliminate downtime. It is proven that Sniffer is an extremely robust tool for network monitoring and troubleshooting; many people do not know, however, that Sniffer plays a significant role in network security. Simply put, there are phases in every network intrusion Before, During and After the attack. Sniffer Technologies can help by complimenting your existing security tools for responding to attacks in progress and for post-attack analysis. When deployed within a network, Sniffer Distributed can help with identifying network intrusions and capture important data during an attack to be used for later analysis. Network Associates has prepared this white paper to help network and business managers understand the power of their Sniffer infrastructure they have already deployed in their environment. This white paper explains how Sniffer network performance tools can be used to compliment and enhance traditional security monitoring techniques to create a better understanding of threats and help in response to network intrusions.

Breakdown of a Network Intrusion

Network Intrusions can be simply broken down into three areas: Before the Attack, During the Attack and After the Attack. It is very easy to break it down this way, but very hard to combat how someone might gain access to your network. In fact, research from the FBI and other security research groups contend that anywhere from 50%-75% of all intrusions take place from inside your corporate trusted network. Additionally, if intrusions are performed for the purpose of gathering information or resource usage, rather than denial of service or defamatory purposes, the attacker will do everything in his or her power to ensure that their presence is difficult to detect. This makes it even harder to detect and trace what is happening within your network environment.

Preventive Measures You Can Take

Most corporations start by employing a number of security measures such as firewalls and network-based intrusion detection systems (IDS). There are also tools to help During an Attack such as host-based intrusion detection. Finally, companies will use a myriad of tools to help with forensics and post analysis of intrusions. The figure below, it outlines where certain technologies can help in the three phases of an attack.

Sniffer Technologies, with its Sniffer Distributed and Sniffer Portable Lines, serve to compliment these tools by alerting administrators of intrusions, filtering traffic based on specific criteria, and by capturing data/evidence to help reconstruct a record of what systems were actually affected or compromised. In much the same way that a hidden security camera can record a bank robbery, Sniffer logs can provide invaluable data for forensic analysis.

Top Network Attacks and What to Use to Detect and/or Combat Them
The SANS Institute in conjunction with the FBI, has published the Top Twenty Computer Vulnerabilities in October of 2001. We have compiled (see figure below) a list of tool categories that will help you with detection and visibility of the most popular network intrusions (SANS list) and what companies use each for. Additionally, we have added where Sniffer can be used to help detect and combat popular intrusions and help compliment what you may already have deployed in your network.
Firewall Network IDS
Host

Type of Attack
Default installs of operating systems and applications Accounts with No Passwords or Weak Passwords Non-existent or Incomplete Backups Large number of open ports Non-existent or incomplete logging Vulnerable CGI Programs Unicode Vulnerability (Web Server Folder Traversal) ISAPI Extension Buffer Overflows IIS RDS exploit (Microsoft Remote Data Services) NETBIOS unprotected Windows networking shares Information leakage via null session connections Weak hashing in SAM (LM hash) Buffer Overflows in RPC Services Sendmail Vulnerabilities Bind Weaknesses R Commands (Rlogon, rsh, rcp) LPD (remote print protocol daemon) Sadmind and mountd Default SNMP Strings Not filtering packets for correct incoming and outgoing addresses

IDS

Vulnerability Sniffer Assessment

X X X X X X X X X

X X X X X X X X

X X

X X X X X X X

X X X X X X X X

Before the Attack

Most companies work very hard to take pro-active steps to prevent network intrusions, but they still happen and they still cause a lot of damage. However, if an adversary spends enough investigatory time and has the appropriate technical knowledge, they could get in if they are willing to work hard enough. As previously stated most network intrusions happen from inside the trusted network, completely bypassing the firewall. Most companies utilize a network based intrusion detection system, which is a distributed probe that monitors internal network segments and looks for unauthorized traffic or requests.

Intrusion detection is a type of network security that, as the name implies, detects, identifies and isolates attempts to intrude or make inappropriate, unauthorized use of computers. Attacks originate either via an external network connection or from within the confines of the organization that is targeted for attack. Targeted systems are usually server or workstation systems, however attackers may also focus on network devices such as hubs, routers and switches. A network intrusion detection system (NIDS) helps identify the fact that attacks may be occurring. It is designed to detect, monitor, and log potential security breaches. Current network IDS products use a predominantly passive approach to collecting data via protocol analysis garnered by watching traffic on the network. Each one monitors the traffic on specific network segments. It gets copies of its segments traffic to inspect by listening in promiscuous mode and having its network interface card bring in a copy of every packet it sees. It examines these packets, and attempts to determine whether they represent an intrusion attempt by comparing it to a list of known attack signatures. It does this by determining if the contents of the packet contain the signature of a known attack method, that is, whether it contains a string of characters that matches a specified pattern, or otherwise fits rules that define known attack methods. While a network intrusion detection system is beneficial and recommended, it is not fool proof and you should not be lulled into a false sense of security. There are known published techniques on ways of bypassing NIDS systems (Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Thomas H. Ptacek, Secure Networks, Pages 1-63, January 1998), which many experienced hackers both internal and external can take advantage of. Furthermore, there are no NIDS products that are flexible enough to fully address the high speeds and vastly distributed nature of modern topologies present in most large networks today. That is where Sniffer Technologies and the Sniffer Distributed product line can help compliment this technology. Sniffer Distributed should not be viewed as a replacement for NIDS, but rather as a compliment to existing NIDS. Later in this white paper, we have a section dedicated to the differences of NIDS and Sniffer Distributed to better illustrate how to use Sniffer products to enhance currently deployed technologies.

During an Attack
When someone is trying to attack or penetrate your network, it is commonly understood that they are trying the following: accessing data that is not for public consumption, trying to change or

deface company information (websites, files, etc.), illegally using your server memory for their own storage, and attempting to flood a particular device rendering it unusable to the authorized users thereby creating a denial of service attack. There are many tools to help network administrators determine if their company is under attack. Host based intrusion detection systems are a great tool to deploy to critical servers to help identify when you are under attack. They sit on hosts that a company would like to protect and will send off alerts if an unauthorized user tries to access something that is restricted. That helps protect against accessing data or changing critical information on particular servers that are not for public consumption. The main shortfall with host based intrusion detection is the limited platform coverage. Another common attack that can cause serious downtime is a Denial of Service attack. This attack looks to send a tremendous amount of traffic via bogus server requests to your critical servers. Your machine becomes overburdened and will be unable to respond to normal requests. This is a very common attack to websites or key file servers. If your machine is compromised, your machines resources can be used in a Denial of Service attack for another target unbeknownst to you. This is something that Portable or Sniffer Distributed can help your company with. In an example later in this whitepaper, you will be shown how you can use Sniffer technology to trigger alarms when it detects a lot of requests to a particular server or from a particular device on your network. It will then be able to alert the IT support team to take the necessary steps to protect the machine or machines. Sniffer Distributed can also be looking for repeated attempts from unauthorized end users to log onto critical servers. There are many triggers and alarms that can be set to help compliment a companys network and host based intrusion detection systems alarm structure. A company can use Sniffer Distributed; to contain certain security breaches, as in the Nimda worm. In this whitepaper, we will show an example of a filter that was easily created to stop the propagation of the Nimda worm, which quickly identified contaminated servers, until a fix was applied. This filter saved numerous companies a tremendous amount of man-hours searching and identifying malicious code.

After the Attack

Attacks on your network will happen. The question is whether you will know about it, and after analysis, be able to understand what happened and how to fix it so that it does not happen again. If an attack on your network occurs, it is essential to do everything possible to ensure that it can

be detected, and the traffic can be captured and analyzed. In the April 2001 edition of Secure Computing, in an article titled Computer Forensics-Tracking Down the Clues written by Lllena Armstrong, the complexity of this issue is detailed. Once a crime occurs, analyzing the evidence, closing any holes that have been opened and perhaps even moving forward with civil or criminal litigation is a complex process - one that demands more than just a once-over by an IT administrator. After you identify that you are under attack or have been attacked, you cannot go back and collect the necessary raw network traffic to piece together what happened. The only avenue at this point is to access log files of the critical machines hit in the attack, provided you had the highest detailed logging turned on. Even with this information, you could still be missing critical data. It is like trying to complete a jigsaw puzzle without knowing the number of pieces available and how many you are missing. You may not be able to understand what the picture even looks like. Sniffer Distributed can help a great deal in this scenario. It acts much like hidden security cameras in a bank, for instance, that would allow you to go back and review the tape, so to speak. Sniffer Distributed will record or capture all of the raw traffic on any network that it is connected to and will allow IT staff to analyze the data at a later time. The strength of Sniffer Distributed is its expert engine, which allows users to take a huge trace file and quickly strip away any non-pertinent data to help with the collection of evidence. The ability to filter on a specific device or traffic pattern will help to quickly identify important data to begin tracing what the intruder attempted or accomplished.

The Value of Sniffer and the Expert Analysis Engine

Sniffer Distributed
Sniffer Distributed is a fault and network performance management solution that can be deployed across the entire enterprise. It provides network monitoring, protocol decodes, and Expert analysis capabilities to all key segments (e.g., Local Area Network LAN), Wide Area Network (WAN), Asynchronous Transfer Mode (ATM), and Gigabit Ethernet throughout the network. The powerful combination of standard-based monitoring and Expert analysis makes Sniffer Distributed the ultimate tool for today's multi-topology, multi-protocol distributed networks.

From a single management console, Sniffer Distributed enables automatic Remote Monitoring (RMON), compliant segment monitoring, and problem identification across the entire organization. This means that the network engineering team can troubleshoot your worldwide network without incurring the travel expenses involved in on-site problem diagnosis and resolution.

How Sniffer Distributed Differs from Network Intrusion Detection Systems

Network Intrusion Detection Systems are very good at listening to traffic and comparing them against known attacks in its database. Sniffer Technologies was created to perform different tasks, but that doesnt mean that you cannot use this tool for things other than what it was created for. Sniffer and its robust engine captures traffic as well as the performing the following capabilities:

Filtering Sniffer has a powerful filtering capability. The filtering capability allows a network administrator to have focused visibility on the network right down to the bit level. A network administrator can quickly zoom down to a specific problem by defining a filter.

Capturing Sniffer not only examines every packet on the wire; it also saves/captures the packets into trace files. Forensic techniques, when combined with the captured trace files, can provide enough evidence to identify the attacker or security events that have occurred.

Protocol Decodes Sniffer decodes a wide range of protocols. The Sniffer is able to decode a protocol on all layers of the OSI model. For example, the Sniffer can decode routing protocols like OSPF as well as application protocols like HTTP. Being able to decode many different protocols allows Sniffer to handle any types of protocol an attacker attempts to use.

These features of filtering, capturing, and protocol decodes coupled with Sniffers alarming capabilities, offer a very powerful security visibility tool for network administrators. These capabilities in Sniffer technology are best illustrated by the recent Nimda virus outbreak. During the midst of the outbreak of the Nimda virus, Sniffer Technologies provided a Nimda filter to identify infected hosts on the network. One of the ways that Nimda is propagated is via the HTTP protocol. In order to detect Nimda, a filter was defined on the Sniffer to look for specific HTTP text strings used by Nimda to propagate itself. With this filter, the Sniffer was able to isolate

rogue servers infected with the Nimda virus without waiting for their IDS vendor to release the signature update to detect the outbreak.

Wireless Sniffer and Wireless Security

Wireless networks allow users to connect directly to the network without the use of physical cables. This is, of course, desirable to most companies as the need for staying connected while being mobile inside of the physical location of the company while hopping from meeting to meeting. Wireless networks use the RFC standard 802.11b, which is an 11Mb Ethernet standard. This standard allows companies to implement products that would allow interoperability among different companies. From the 802.11b standards wireless networks use different frequencies to communicate on different channels with overlapping between the RF channels, which can cause interference between channels. For Security 802.11b implements a transport encryption called WEP (wired equivalent privacy) that allows for some basic 40-bit encryption or some more complex 128-bit encryption. The problem most often seen with these encryption standards are that they can complicate the troubleshooting or installation of the wireless network, and most often are features that are never turned-on or utilized. One of the main threats of after implementing Wireless technology is that most companies do not prioritise security high enough. Quite often we are seeing that the convenience of 802.11b can quickly outweigh the cost of implementing the proper security that end users may or may not understand. Wireless networks are usually treated differently than companies would treat Internet gateways; this should not be the case. Unprotected Wireless networks can give a user or hacker a direct connection to the network, without having to go through firewalls or access controls. Many companies are implementing wireless networking technology first, troubleshooting second, and then finally patching for security. Another concern is the placement of these access point devices inside of the corporation along outside walls or close to the physical boundaries of the building. The problem with this implementation is that the wireless network access points act like a set of concentric circles expanding out from the access point meaning that people outside of the building would be allowed to communicate with the access point. Most access points are turned on in a default status allowing any individual with a wireless NIC to gain access to this device and be put on the network. Launching Wireless Sniffer in a large urban environment and noticing how many access points are available for communication can find a common example of this. This mentality or setting up APs first and securing the AP second can leave a production network exposed for a set period of time or indefinitely.

How can Wireless Sniffer help you to protect your wireless network? Not only will Sniffer Wireless allow the user to troubleshoot the 802.11b communications, but it a great tool for discovering what is floating around unabated in the air for all to see. This can include IP addresses, passwords, etc. that can be used for social engineering and more easily penetrate your network. Wireless Sniffer can help watch communication between the client and the access point to help with troubleshooting, finding new additions of Access Points (APs), SSID settings, channel communication mismatches, and WEP key synchronizations. A Sniffer device can be used similar to a GPS device; once turned on it will locate all APs in a given area by signal strength, thus allowing an individual to hone in on where the access point is located. Wireless Sniffer also can also give you an insight to your wireless communication that is going on in and around your environment. Wireless Sniffer could also be used to capture WEP traffic and export it to a device that would try to break the level of encryption used. Wireless Sniffer, through discovery, will help you troubleshoot your wireless network and ascertain how secure your wireless network implementation really is.

Examples of How to Utilize Sniffer Technology as a Security Tool

On the following pages are a few examples of the built-in and customizable security capabilities of Sniffer: Excessive Failed Resource Login Attempts (Trigger and Alarm) Access to Resource Denied (Trigger and Alarm) Denial of Service attack (Trigger and Alarm) Nimda Virus (Filter and Alarm) EXAMPLE #1: Excessive Failed Resource Login Attempts The Expert system within Sniffer is currently equipped with the ability to detect excessive numbers of failed login attempts at the application layer of the OSI model. This is one of the many ways that Sniffer is used to detect a possible unauthorized intrusion on a network. The Expert generates this alarm when the number of consecutive login attempts, with an incorrect password or user name for the listed station, exceeds the Excessive Failed Resource Login Attempts threshold (see figure on right) that you set under the Expert UI Object Properties window in the Sniffer GUI. The address of the offending station is listed in the Summary row as seen in the Sniffer capture (see figure 3; on next page).

10

Possible Causes: The most common cause for such an alarm is being set off by users who have forgotten their passwords and are trying recall it by repeatedly trying again. It can also be set off by those who wish to crack passwords either manually (guessing) or through various brute force automated password Using Scanner, cracking our and own its tools. Sniffer built in

Technologies

CyberCop

capability to try to crack machine and database passwords, we were able to trigger this expert successfully. The figure below shows how this expert trigger looks within the Sniffer interface.

Example 1. Above

11

EXAMPLE #2: Access to Resource Denied The Expert generates this alarm when a station fails to establish an SMB session due to access restrictions. The name of the station is listed in the corresponding summary row. In this case, SMB refers to the passwords and user rights that deal with access to Windows workstations, servers and resources. You can configure this alarm under the Expert UI Object Properties window in the Sniffer GUI. Possible Causes: Again, the most common cause for such an alarm is being set off by users who have forgotten their passwords and are trying recall it by repeatedly trying again. It can also be set off by those who wish to crack passwords either manually (guessing) or through various brute force automated password cracking tools. Again, our CyberCop Scanner was used successfully to trigger this expert alarm.

12

EXAMPLE #3: Too Many Retransmissions and Non-Responsive Station The CyberCop Scanner Signature 8033 Windows NT - Fragment Denial of Service Attack was launched against a target host. During the denial of service attack, the Sniffer's built in expert alarm was able to detect this event. The Sniffer expert alarms for Too Many-Retransmission and Non-Responsive Stations were triggered. In the figure on the next page, the Sniffer Expert's
Example 2. Above

diagnosis for the connection layer logged 998 alarmed events. One of the triggered alarms was Too Many Retransmissions while the rest were Non-Responsive Stations. Possible Causes: Expert when Alarm the The Sniffer "Too is number Many of

Retransmissions"

generated

retransmissions on a connection exceeds a threshold. This condition occurs when the transmitting station does not receive from an the acknowledgement

receiving station, and retransmits the frame. There are several possible causes for this alarm. For example: the server or router could be overloaded, or the network could be experiencing high traffic volumes. Furthermore, conditions could exist where acknowledgements are being lost or dropped.

13

The Sniffer Expert Alarm "Non-Responsive Station" (shown bottom right) is generated when the number of consecutive retransmissions without a response on a connection exceeds a threshold. There are several possible causes for these alarms including overloaded servers, faulty hardware and mis-configured software. However, other such origins could be denial of service attack. Such an attack is an attempt by attackers to prevent legitimate users from gaining access to a server or group of services by sending so many phony requests for service that the attacked server or servers cannot respond to legitimate ones.

Example # 4: Customizable Security Filter This filter enables a network administrator to identify whether the network is infected with the Nimda virus. W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares. Sniffer can alert an administrator when the network traffic matches any of these strings below.

14

How to Utilize Sniffer Technologies for Forensics and Post Analysis

After a robbery or a crime has been committed, it is crucial that the police go through the proper procedure to look for clues and collect evidence. It is the same way for computer forensics. The problem is the police usually have a lot more physical evidence that is left at the scene of a crime than IT administrators have for computer crime. Often they may have fingerprints or if they are lucky will have a security camera that shows the actual crime taking place. That is what Sniffer technologies can provide with Sniffer Distributed. If a Sniffer Distributed is on the same segment that the attack took place on, it can function as the security camera or wire-tap to capture what actually happened. By taking a trace file, you are in essence taking a snapshot of network traffic. A majority of the Fortune 500 companies have deployed Sniffer Distributed and are utilizing this functionality. The capabilities to quickly show how an attacker took advantage of your system and network vulnerabilities, to assist in hunting down an intruder, and for legal purposes in the prosecution of an intruder are all possible with Sniffer Distributed.

Summary
If you are currently a Sniffer customer or are considering solutions from Sniffer Technologies, you may not have been aware of the additional security features that can be used to compliment your security defenses. Furthermore, the ability to leverage existing technologies in new ways offers a powerful mans of enhancing network security performance without impacting budgets. Portable and Distributed from Network Associates can offer users more than just a means of maximizing network performance and uptime they can help secure your network infrastructure before, during and after an attack. At Sniffer Technologies, we are proud to apply our network analysis expertise to provide customers with solutions to all of their network management and security needs.

15