Lisa Bock is an assistant professor of information technology at Pennsylvania College of Technology (www.pct.edu) in Williamsport, Pennsylvania. She has taught a variety of courses that include networking, security, biometrics, protocol vulnerabilities, CCNA Security, and requirements analysis and is an author for Lynda.com.
LIFARS: We understand you have expertise in packet analysis and its tools. How did you get interested in them?
Lisa: In 2004, a colleague introduced me to Ethereal (now called Wireshark) an open-source protocol analysis tool. I looked at the interface as it captured traffic and I thought, “I don’t know what this is, but I want to!” I then spent the next seven years immersing myself in the tool and learning about packet analysis.
LIFARS: Could you briefly tell our viewers the functions and uses of protocol analyzers?
Lisa: Protocol analysis is important in order to troubleshoot congestion issues, create firewall and IDS rules, and perform incident and threat detection. Network administrators use a packet sniffer or network analyzer to monitor and troubleshoot network traffic. As data flows across the network, the sniffer captures each packet, decodes the packet’s raw bits, and then displays the field values in the packet according the appropriate RFC or other specification.
The tool I prefer is Wireshark, formerly Ethereal, an open source packet analyzer. However, there are others. Cain and Abel recovers passwords by sniffing the network. ‘NarusInsight’, formerly Carnivore, can monitor all internet traffic and ‘tcpdump’ is a common protocol analyzer that runs from the command line.
LIFARS: What does it mean when they say “Intrusion and Extrusion Detection”?
Lisa: I’ll ask network administrators, “How secure are you?” and they’ll respond, “Very! We’re bulletproof!” I then ask, “How do you know that they aren’t already in your network?” I’ll get a blank stare. The fact is monitoring for threats comes in three flavors:
- Reactive – not good, you found a threat and now have to deal with it.
- Proactive – monitoring your systems and preventing threats.
- Active – actively seeking threats by conducting packet analysis and monitoring log files.
Intrusion detection and prevention systems are network security appliances that monitor for unusual or suspicious activities. A system may be a stand-alone device or integrated within an adaptive security appliance or router. Intrusion detection works out of band to identify malicious activity, log information about this activity, and report it. Intrusion prevention does the same thing but works in line and attempts to block or stop a possible attack by dropping the suspect traffic.
Although we are concerned with intrusion detection, it’s also important to include extrusion detection in your organization, as it will help pick up clues that malicious activity is in your organization by monitoring for suspicious outbound connections.
For example, the following Snort alert indicates malicious activity is on the protected network:
DELETED WEB-MISC text/html content-type without HTML – possible malware C&C (Detection of a non-
standard protocol or event) [16460]
The network administrator should take immediate action as it indicates an infected host may be communicating with an external entity, for example retuning information gathered by spyware.
LIFARS: What are the ways to avoid detection by an intrusion detection systems?
Lisa: Attackers scan systems to check for live hosts. Careful scanning involves avoiding detection by an intrusion detection system. For example, when port scanning; resist the urge to send thousands of packets, as that in itself is noisy and a clear pattern. In order to change the pattern, we can cloak a scan with decoys, which confuses and IDS by hiding your IP address. The intrusion detection system might flag some scans from a range of IP addresses, but isn’t going to be able to determine what IP address has truly sent the request. Decoys won’t work with all scans. In addition, any hosts you use as decoys should be up.
You can also try a Christmas tree attack, which sends a large number of packets to an end device by setting the FIN, PSH and URG flags in the TCP header, lighting up the packet like a Christmas tree. Because of its unusual signature, it may be able to stay under the radar of an intrusion detection system.
The good news is many newer devices are able to recognize this signature. Regardless, continue to be vigilant and monitor your system for active threats.
Visit Pennsylvania College of Technology (www.pct.edu) to learn about the college’s information technology majors and more than 100 other “degrees that work.”
