|
NETWORK SECURITY
December 2006
Communications News
|
Use network analyzers for virus and hack security
Devices augment other security solutions and provide reporting and alerting functions.
by Charles
Thompson
Organizations
are faced with a myriad of threats on a daily basis. While firewalls and
other security tools provide comprehensive protection, they are not
foolproof. Hackers everywhere invest countless hours in their efforts to
stay ahead of patches and security updates. According to one recent security
report focusing on the first six months of 2006, a recognized vulnerability
to enterprise vendors takes an average of 31 days to patch. Developing code
to exploit the vulnerability takes only three days, on average. This leaves
a 28-day window of exposure.
The report also states an average of 6,110
denial-of-service (DoS) attacks per day occurred during that six-month time
frame. DoS attacks are generally carried out by a wide variety of attackers,
from amateurs who simply download a freely available tool, to owners of
highly organized bot networks, whose primary purpose is to carry out
coordinated attacks.
To prevent these
attacks from doing harm, organizations need additional tools to identify and
remedy security breaches as they occur. A network analyzer can detect both
known and unknown attacks and can increase an organization’s cleanup process
efficiency.
Protocol analyzers reveal what is happening on a network by decoding the
different protocols that devices on the network use to communicate, and
present the results in readable form. Most mature analyzers also include
some statistical reporting functionality. These abilities provide useful
daily troubleshooting.
Antivirus and intrusion-detection systems are designed to prevent the
infestation of known viruses and attacks. Hackers and “script kiddies,”
however, have the same access to all the threat bulletins and Windows
patches that organizations have. They are always looking for new
vulnerabilities, investing time and energy into finding holes that have not
yet been patched, or searching for systems that have not downloaded patches
as soon as they became available. In short, firewalls and operating systems
might not get a patch until the damage is already done.
In addition, imported disks, deliberate employee actions and visitors using
infected laptops to link to a network create other unanticipated weak spots
in security systems that perimeter defenses alone cannot address. A good
network analyzer can both help detect when breaches have already occurred
and make the cleanup/recovery less painful once a breach has been
identified.
Because viruses and hacker attacks typically generate a recognizable pattern
or “signature” of packets, a network analyzer can identify that signature.
While most analyzers let administrators set alarms to be triggered when a
particular pattern is seen, some analyzers can also be programmed to send an
e-mail or page when these conditions are met. This is particularly effective
because viruses and worms are generally created to produce unusual levels of
network traffic.
When a network generates a high frequency of broadcast packets or specific
servers generate an unusual number of packets, a network analyzer can also
log the traffic record in the analyzer’s longer-term record, allowing the
administrator to follow up on suspicious traffic patterns.
An analyzer can also help
identify inappropriate traffic, which may represent potential weaknesses or
leave networks open to attack. This would vary with the particular network
or corporate policy, but it could include automatic notification of traffic
such as Microsoft network, network news transfer protocol or outbound
telnet.
To be useful as a
corporate security tool, the analyzer should be “distributed” so that it
covers all the areas of the network. It should also be able to capture and
decode all protocols from all media (e.g., Ethernet, WAN, 802.11) on which
corporate data flows.
Inconvenience for a few users and disaster for an entire company are
separated by how quickly an administrator can respond to a breach. First,
administrators need to look for an analyzer that can be configured to e-mail
or page them when the virus or hacker attack is sensed. Second, they need to
use that analyzer to its fullest potential and not only to solve day-to-day
troubleshooting. Configuring the analyzer to watch for suspicious network
behavior and using it to discover the source of the anomaly will improve
response time and efficiency.
Firewalls, antivirus software or
intrusion-detection systems are more effective when combined with a network
analyzer. Used in tandem, security software and a network analyzer provide
for almost any eventuality. When the other defenses have failed, a good
analyzer alerts the administrator and provides the resources necessary to
identify, isolate and clean up compromised machines.
Charles Thompson is senior systems engineer for Network Instruments,
Minneapolis.
For more information:
www.rsleads.com/612cn-263 |