Transcript Packet Analyzers, a Threat to Network Security

Packet Analyzers, a Threat to
Network Security
Agenda
Introduction
 The background of packet analyzers
 LAN technologies & network protocols
 Communication protocols
 How packet analyzers work
 Who uses packet analyzers

Agenda (Continued)
What devices packet analyzers can run
on
 How to detect packet analyzers
 How to protect against packet analyzers
 End user awareness
 Conclusion
 Questions

Introduction

Is confidential information that is sent out
across the network only viewable by the
sender and its recipient(s)?
Networking standards were designed for
compatibility and ease of use
 Security was not a major issue

Packet Analyzer Background
A packet analyzer is a tool whose
intended purpose was to help network
administrators troubleshoot and
diagnose their local area networks
 Packet analyzers can also fall into the
wrong hands for malicious purposes

LAN Technologies & Network
Protocols

LAN technologies
Shared mediums
 Ethernet

Most common technology today
 Operates at various speeds and mediums

LAN Technologies & Network
Protocols (Continued)

Network protocols
Protocols are a set of rules each machine
must follow in order to communicate
 TCP/IP

Most commonly used protocol in corporate
networks
 The only protocol used on the Internet

LAN Technologies & Network
Protocols (Continued)

Network
communications


Everybody on a
repeated network
sees the same
transmitted data
It is the
responsibility of the
stations to ignore
data that is not
intended for them
(honor system)
LAN Technologies & Network
Protocols (Continued)

Switches reduce the amount of stations
that can view the same transmitted data
Tries to keep track of where stations are
located so it can direct data only to its
intended recipient
 If the switch does not know where to send
the data, it is forced to send it to everyone


Routers never broadcast data

Will only send data directly to a machine or
another router
Communication Protocols

Insecure communication protocols
FTP (file transfer protocol)
 HTTP (hyper-text transfer protocol)
 SMTP (simple mail transfer protocol)
 POP (post office protocol)
 IMAP (internet message access protocol)
 Telnet
 SNMP (simple network management
protocol)

Communication Protocols (Continued)

Secure communication protocols
FTPS- secure FTP
 HTTPS- secure HTTP
 No secure SMTP, POP, or IMAP



PGP (Pretty Good Privacy) - encrypts message
within SMTP, POP, or IMAP
SSH (secure shell) - answer to secure
Telnet
How Packet Analyzers Work






Can be installed on numerous operating
systems or can be dedicated hardware
Run under promiscuous mode
Can define filters to only capture wanted data
Converts binary data into a comprehensible
format
Can only convert clear text
Similar to a wire tap performed on phone lines
How Packet Analyzers Work
(Continued)

Ethereal (http://www.ethereal.com)
How Packet Analyzers Work
(Continued)

Iris (http://www.eeye.com/html/Products/Iris)
Who Uses Packet Analyzers

Network administrators
Troubleshoot and diagnose the network
 Intrusion detection


Network intruders
Gather sensitive data
 Monitor web browsing, email, or instant
message communication

Who Uses Packet Analyzers
(Continued)

The U.S. government
Crime prevention
 Carnivore

Can capture all network traffic of a particular
user or IP
 Installed at suspect’s ISP
 The USA PATRIOT Act has reduced restrictions
previously placed on Carnivore



U.S. attorney or state attorney general can order the
installation of Carnivore without going to court
Law enforcement agents can get blank warrants
What Packet Analyzers Can Run On
Can be installed on desktops, laptops,
and PDA’s (personal digital assistants)
 Can be purchased or downloaded for
free
 Can work on any type of network as long
as the hardware and software support it,
including wireless networks

What Packet Analyzers Can Run On
(Continued)

Small size of PDA’s
and palm-sized
laptops allow packet
analyzers to fit in a
shirt pocket
How to Detect Packet Analyzers

Packet analyzers do not transmit data, making
detection difficult
 Other network-based applications may give
away its presence, email, web browser, ARP
(address resolution protocol), DNS (domain
name service)
 Network administrator can ‘trick’ the network
analyzer to reply
 Specialized programs to detect network
analyzers

AntiSniff, CPM (check promiscuous mode), neped,
sentinel, and ifstatus
How to Protect Against Packet
Analyzers







Intrusion detection/prevention system
When possible, restrict network access by hardware
address
Disable unused ports
Disable port mirroring when not in use
Password protect networking devices (don’t use
default passwords)
Only use secure operating systems that prevent end
users from installing packet analyzers (Windows NTbased, Linux, or UNIX)
Virus scanners to detect malicious packet analyzing
software
End User Awareness

Know what information is sensitive and how to
make sure transmission methods are secure


Look at alternative methods of transmittal


Example: use HTTPS for online banking/shopping
Example: Using SSH instead of Telnet
Know network administrators can be using
packet analyzers to monitor you

Don’t do anything you shouldn’t at work!!!
Conclusion

When computers communicate over
networks, their communication is at risk
of being intercepted and monitored by
packet analyzers. A packet analyzer can
capture sensitive data, such as credit
card numbers, usernames, or
passwords. It is important to be
protected against network intrusions, as
well as be aware of how secure one’s
network communication is.
Questions