Do you really know what is going in and out of your network?
It’s Friday and I am just back from visiting a number of LANGuardian customers in the UK. As usual it amounted to a very interesting few days with visits to public sector clients, a document management company and even a F1 team. The common use case which kept coming up was that IT managers within these organisations want to know what is going on within their networks. This is what is at the heart and soul of NetFort; we continue to develop LANGuardian so you can find out what users are doing on your network.
So why is this so important or a better way of asking this, do you really know what is happening on your network? A good example of why this is important is related to the potential issue discovered this week where LG televisions were transmitting user data out of their home networks. While I was waiting in an airport I noticed my Twitter and RSS feeds filling up with information and comments on this story. It really got the security community going. We now live in the age of the Internet of things; everything is getting connected to the Internet, from washing machines to fridges. It’s all become smart everything.
What is also interesting about the LG article is the means by which the issue was discovered. Wireshark was used to do deep packet inspection. Some vendors will suggest that SNMP or even flow (NetFlow, sFlow and others) tools will provide visibility on a network. In some cases they may provide okay levels of visibility in most however they fall well short. This is because they don’t work out what applications are in use and they don’t look at packet payloads. I know IPFIX and NBAR are supposed to address these deficiencies but you need really specialist equipment to work with these.
SPAN or mirror ports are available on all networks so why not make use of them. You can use Wireshark or better still check out our LANGuardian software which does the hard stuff for you. It will go though each packet and extract metadata so you can see users, application names and payload information. Wireshark is a fantastic tool but sometimes because of the low level of detail, the ‘bits and bytes’, it is hard to see the big picture and see activity first at a higher level, show names for example, domains, URIs, files, users, a level of DPI that most people can use to understand exactly what is happening.
Back to the LG story. I have a Sony smart TV which is connected to the Internet. The online features are fantastic, great for watching YouTube and running other streaming apps. Earlier I switched it on while I was monitoring its traffic with my LANGuardian. I just left it running on one channel and did nothing else. Having read the article about the LG TV I got curious if my TV could be doing something similar. The screenshot below is from a forensics search where I focused in on the IP address of the television. Even without using any of its smart features it’s connecting to outside services. Most traffic is via HTTP but some is also sent encrypted by HTTPS.
Drilling down further reveals lots of connections to playstation.net. I did not spot anything sensitive as was shown with the LG story but I am going to keep a close eye on this just to make sure
What all this shows is that if you really want to find what is going in and out of your network you really need deep packet inspection.