CertiGuide to Security+ - Security Issues with Network Monitoring Tools

WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.

Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!

Get It Here!

Custom Search

CertiGuide to Security+
9 Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9 3.1  Devices
           9 3.1.10  Network Monitoring / Diagnostics

3.1.10 Network Monitoring / Diagnostics

SNMP (Simple Network Management Protocol)

Security Issues with Network Monitoring Tools

From an attacker’s point of view, the traffic-monitoring utilities provide opportunities for “sniffing” network packets, possibly uncovering passwords or the types of software in use on the network. And, the configuration-monitoring and service-monitoring tools let the attacker learn about the network and even “jiggle the doorknob.” They are interesting for the reconnaissance information they can provide, such as information about what applications are run on the network, user ID’s and passwords, how well-connected a site is, and of course, proprietary data.

It’s not enough to protect access to monitoring and diagnostic tools, when possible. You must also protect the information those tools collect from unauthorized access. If an intruder knows, or can determine, where your network monitoring logs are stored, and they gain access to them, they could view your logs (possibly obtaining authentication information such as passwords, or confidential company data) or even remove all traces of their visit to your network. So, it’s prudent to develop a policy for backing up important system logs to off-line storage on a regular basis, in the name of preserving potential evidence. Unfortunately, it’s not unusual at all for a system administrator to collect network traffic or application diagnostic information into a publicly-readable file, even though that information may include user passwords, sensitive data like credit card numbers, etc.

Since it’s not feasible to guarantee that no one will ever run packet sniffer software on your network, remember that no packet on your network is immune from being captured by a sniffer, and keep the following in mind:

Do not send sensitive information across the network unencrypted (this includes email, files saved to servers, credit card information submitted from a web page to an application server, etc.

Use challenge/response authentication techniques instead of those that send passwords in clear text or encryption, in order to minimize opportunities for playback attacks and password stealing

Consider probing your network for the presence of unauthorized sniffers periodically, to at least limit the amount of information they gather before being discovered and disconnected.

[spacer] State of the Art in NIDS

The “state-of-the-art” in stealthy network monitoring involves monitoring to detect activities like port scanning and monitoring itself. Using techniques like looking for certain streams of packets, or examining packet delays and the responses of systems to specifically constructed packets, it is possible to determine that some sort of monitoring tool is in use on a network. If an attacker detects that monitoring is in use, he may try to “confuse” it by sending many meaningless packets in hopes that his traffic will get lost in the shuffle, or dropped before it is logged by a monitoring system struggling to keep up with the amount of network traffic, thus preventing a log of his activities.

Port Scanning

Have you ever run a port scanner like nmap on your network? If not, and if you are authorized to run something like nmap on your network, go get it from http://www.insecure.org. Set it to scan the full range of your network, and all low-numbered ports. (We’d suggest doing this after hours or over the weekend, in order to avoid subjecting the network to additional traffic during work hours). Did it find any systems on your network that you were unaware of? Did it find any enabled services you didn’t expect? Again, make sure you have authorization to do this, before you do. We are not requiring or even expecting the reader to participate in this real world exercise.

3.1.10 Network Monitoring / Diagnostics

SNMP (Simple Network Management Protocol)

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!

Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.