Network monitoring tools like sniffers and intrusion detection systems (IDS) allow network administrators to examine network activity and monitor for suspicious behavior. Sniffers capture and display all network traffic to troubleshoot issues, while IDS tools are more advanced and can be configured to evaluate logs, detect suspicious activity, and disconnect insecure sessions. Securing workstations involves removing unnecessary software and services, keeping all components updated, and minimizing available information to prevent exploits. Remote access protocols like PPP provide authentication but not encryption, so tunneling protocols are needed to securely transmit data over unsecured networks.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online from Scribd
Network monitoring tools like sniffers and intrusion detection systems (IDS) allow network administrators to examine network activity and monitor for suspicious behavior. Sniffers capture and display all network traffic to troubleshoot issues, while IDS tools are more advanced and can be configured to evaluate logs, detect suspicious activity, and disconnect insecure sessions. Securing workstations involves removing unnecessary software and services, keeping all components updated, and minimizing available information to prevent exploits. Remote access protocols like PPP provide authentication but not encryption, so tunneling protocols are needed to securely transmit data over unsecured networks.
Network monitoring tools like sniffers and intrusion detection systems (IDS) allow network administrators to examine network activity and monitor for suspicious behavior. Sniffers capture and display all network traffic to troubleshoot issues, while IDS tools are more advanced and can be configured to evaluate logs, detect suspicious activity, and disconnect insecure sessions. Securing workstations involves removing unnecessary software and services, keeping all components updated, and minimizing available information to prevent exploits. Remote access protocols like PPP provide authentication but not encryption, so tunneling protocols are needed to securely transmit data over unsecured networks.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online from Scribd
Network monitoring tools like sniffers and intrusion detection systems (IDS) allow network administrators to examine network activity and monitor for suspicious behavior. Sniffers capture and display all network traffic to troubleshoot issues, while IDS tools are more advanced and can be configured to evaluate logs, detect suspicious activity, and disconnect insecure sessions. Securing workstations involves removing unnecessary software and services, keeping all components updated, and minimizing available information to prevent exploits. Remote access protocols like PPP provide authentication but not encryption, so tunneling protocols are needed to securely transmit data over unsecured networks.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1/ 23
#13.
Monitoring and Diagnosing Networks
AGENDA Understanding Infrastructure Security Introduction Network monitoring is an area as old as data communications. It is the process of using a data-capture device or other method to intercept information from a network. Network monitors come in two forms: sniffers and intrusion detection systems (IDSs). These tools allow you to examine the activity on your network or, in the case of an IDS, add intelligence to the process, monitor system logs, monitor suspicious activities, and take corrective action when needed. Monitors Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems. Simple network configuration programs like IPCONFIG don’t get down on the wire and tell you what is physically happening on a network. Examining the signaling and traffic that occurs on a network requires a network monitor. Monitors Early monitors were bulky and required a great deal of expertise to use. Like most things in the computer age, they have gotten simpler, smaller, and less expensive. Network monitors are now available for most environments, and they’re effective and easy to use. Monitors Today, a network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. The monitoring software is menu driven, is easy to use, and has a big help file. The traffic displayed by sniffers can become overly involved and require additional technical materials; you can buy these materials at most bookstores, or you can find them on the Internet for free. With a few hours of work, most people can make network monitors work efficiently and use the data they present. Intrusion Detection Systems An intrusion detection system (IDS) is software that runs on either individual workstations or network devices to monitor and track network activity. By using an IDS, a network administrator can configure the system to respond just like a burglar alarm. IDSs can be configured to evaluate systems logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings. Intrusion Detection Systems Many vendors have oversold the simplicity of these tools. They’re quite involved and require a great deal of planning and maintenance to work effectively. Many manufacturers are selling IDSs with firewalls, and this area shows great promise. Firewalls by themselves will prevent many common attacks, but they don’t usually have the intelligence or the reporting capabilities to monitor the entire network. An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventive posture with the IDS. Securing Workstations and Servers Workstations are particularly vulnerable in a network. Most modern workstations, regardless of their operating systems, communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers. Securing Workstations and Servers These connections are potentially vulnerable to interception and exploitation. The process of making a workstation or a server more secure is called platform hardening. The process of hardening the operating system is referred to as OS hardening. (OS hardening is part of platform hardening, but it deals only with the operating system.) Platform hardening procedures can be categorized into three basic areas: NÛ Securing Workstations and Servers Remove unused software, services, and processes from the workstations (for example, remove the server service from a workstation). These services and processes may create opportunities for exploitation. Ensure that all services and applications are up-to- date (including available service and security packs) and configured in the most secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities. Securing Workstations and Servers Minimize information dissemination about the operating system, services, and capabilities of the system. Many attacks can be targeted at specific platforms once the platform has been identified. Many operating systems use default account names for administrative access. If at all possible, these should be changed. During a new installation of Windows Vista or Windows XP, the first user created is automatically added to the administrators group. Windows Vista then goes one step further and automatically disables the actual administrator account once another account belonging to the administrators group has been created. Understanding Mobile Devices Mobile devices, including pagers and personal digital assistants (PDAs), are popular. Many of these devices use either RF signaling or cellular technologies for communication. If the device uses the Wireless Application Protocol (WAP), the device in all likelihood doesn’t have security enabled. Understanding Remote Access One of the primary purposes for having a network is the ability to connect systems. As networks have grown, many technologies have come on the scene to make this process easier and more secure. A key area of concern relates to the connection of systems and other networks that aren’t part of your network. The following sections discuss the more common protocols used to facilitate connectivity among remote systems. Understanding Remote Access Using Point-to-Point Protocol Introduced in 1994, Point-to-Point Protocol (PPP) offers support for multiple protocols including AppleTalk, IPX, and DECnet. PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1. PPP doesn’t provide data security, but it does provide authentication using Challenge Handshake Authentication Protocol (CHAP). Understanding Remote Access Next slide shows a PPP connection over an ISDN line. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission. PPP allows many channels in a network connection (such as ISDN) to be connected or bonded together to form a single virtual connection. Understanding Remote Access PPP works by encapsulating the network traffic in a protocol called Network Control Protocol (NCP). Authentication is handled by Link Control Protocol (LCP). A PPP connection allows remote users to log on to the network and have access as though they were local users on the network. PPP doesn’t provide for any encryption services for the channel. Understanding Remote Access As you might have guessed, the unsecure nature of PPP makes it largely unsuitable for WAN connections. To counter this issue, other protocols have been created that take advantage of PPP’s flexibility and build on it. A dial-up connection using PPP works well because it isn’t common for an attacker to tap a phone line. You should make sure all your PPP connections use secure channels, dedicated connections, or dial-up connections. Understanding Remote Access Remote users who connect directly to a system using dial-up connections don’t necessarily need to have encryption capabilities enabled. If the connection is direct, the likelihood that anyone would be able to tap an existing phone line is relatively small. However, you should make sure that connections through a network use an encryption-oriented tunneling system. Understanding Remote Access Working with Tunneling Protocols Tunneling protocols add a capability to the network: the ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems. The best way to think of tunneling is to imagine sensitive data being encapsulated in other packets that are sent across the public network. Once they’re received at the other end, the sensitive data is stripped from the other packets and recompiled into its original form. Understanding Remote Access Working with Tunneling Protocols Tunneling protocols add a capability to the network: the ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems. The best way to think of tunneling is to imagine sensitive data being encapsulated in other packets that are sent across the public network. Once they’re received at the other end, the sensitive data is stripped from the other packets and recompiled into its original form.
