Packet Analyzers, a Threat to Network Security

Agenda

IntroductionThe background of packet analyzersLAN technologies & network protocolsCommunication protocolsHow packet analyzers workWho uses packet analyzers

Agenda (Continued)

What devices packet analyzers can run on

How to detect packet analyzersHow to protect against packet analyzersEnd user awarenessConclusionQuestions

Introduction

Is confidential information that is sent out across the network only viewable by the sender and its recipient(s)?Networking standards were designed for

compatibility and ease of useSecurity was not a major issue

Packet Analyzer Background

A packet analyzer is a tool whose intended purpose was to help network administrators troubleshoot and diagnose their local area networks

Packet analyzers can also fall into the wrong hands for malicious purposes

LAN Technologies & Network Protocols

LAN technologiesShared mediumsEthernet

Most common technology todayOperates at various speeds and mediums

LAN Technologies & Network Protocols (Continued)

Network protocolsProtocols are a set of rules each machine

must follow in order to communicateTCP/IP

Most commonly used protocol in corporate networks

The only protocol used on the Internet

LAN Technologies & Network Protocols (Continued)

Network communications Everybody on a

repeated network sees the same transmitted data

It is the responsibility of the stations to ignore data that is not intended for them (honor system)

LAN Technologies & Network Protocols (Continued)

Switches reduce the amount of stations that can view the same transmitted dataTries to keep track of where stations are

located so it can direct data only to its intended recipient

If the switch does not know where to send the data, it is forced to send it to everyone

Routers never broadcast dataWill only send data directly to a machine or

another router

Communication Protocols

Insecure communication protocolsFTP (file transfer protocol)HTTP (hyper-text transfer protocol)SMTP (simple mail transfer protocol)POP (post office protocol) IMAP (internet message access protocol)TelnetSNMP (simple network management

protocol)

Communication Protocols (Continued)

Secure communication protocolsFTPS- secure FTPHTTPS- secure HTTPNo secure SMTP, POP, or IMAP

PGP (Pretty Good Privacy) - encrypts message within SMTP, POP, or IMAP

SSH (secure shell) - answer to secure Telnet

How Packet Analyzers Work

Can be installed on numerous operating systems or can be dedicated hardware

Run under promiscuous mode Can define filters to only capture wanted data Converts binary data into a comprehensible

format Can only convert clear text Similar to a wire tap performed on phone lines

How Packet Analyzers Work (Continued)

Ethereal (http://www.ethereal.com)

How Packet Analyzers Work (Continued)

Iris (http://www.eeye.com/html/Products/Iris)

Who Uses Packet Analyzers

Network administratorsTroubleshoot and diagnose the network Intrusion detection

Network intrudersGather sensitive dataMonitor web browsing, email, or instant

message communication

Who Uses Packet Analyzers (Continued)

The U.S. governmentCrime preventionCarnivore

Can capture all network traffic of a particular user or IP

Installed at suspect’s ISPThe USA PATRIOT Act has reduced restrictions

previously placed on Carnivore U.S. attorney or state attorney general can order the

installation of Carnivore without going to court Law enforcement agents can get blank warrants

What Packet Analyzers Can Run On

Can be installed on desktops, laptops, and PDA’s (personal digital assistants)

Can be purchased or downloaded for free

Can work on any type of network as long as the hardware and software support it, including wireless networks

What Packet Analyzers Can Run On (Continued)

Small size of PDA’s and palm-sized laptops allow packet analyzers to fit in a shirt pocket

How to Detect Packet Analyzers

Packet analyzers do not transmit data, making detection difficult

Other network-based applications may give away its presence, email, web browser, ARP (address resolution protocol), DNS (domain name service)

Network administrator can ‘trick’ the network analyzer to reply

Specialized programs to detect network analyzers AntiSniff, CPM (check promiscuous mode), neped,

sentinel, and ifstatus

How to Protect Against Packet Analyzers

Intrusion detection/prevention system When possible, restrict network access by hardware

address Disable unused ports Disable port mirroring when not in use Password protect networking devices (don’t use

default passwords) Only use secure operating systems that prevent end

users from installing packet analyzers (Windows NT-based, Linux, or UNIX)

Virus scanners to detect malicious packet analyzing software

End User Awareness

Know what information is sensitive and how to make sure transmission methods are secure Example: use HTTPS for online banking/shopping

Look at alternative methods of transmittal Example: Using SSH instead of Telnet

Know network administrators can be using packet analyzers to monitor you Don’t do anything you shouldn’t at work!!!

Conclusion

When computers communicate over networks, their communication is at risk of being intercepted and monitored by packet analyzers. A packet analyzer can capture sensitive data, such as credit card numbers, usernames, or passwords. It is important to be protected against network intrusions, as well as be aware of how secure one’s network communication is.

Questions