NetFort Advertising

Network Traffic Monitoring

In order to be fully effective, network traffic monitoring software should keep a close eye on not only what is happening within your network, but what is happening on the perimeter of your network as well. In order to give network managers complete visibility over this area of activity, network traffic monitoring software must have deep packet inspection to identify the content of network packets originating from public IP addresses and subnets.

Network traffic monitoring software with this depth of visibility has many practical uses within the network as well. It can be used to troubleshoot network issues, conserve bandwidth, identify threats to the security of the network and enforce acceptable use policies. The monitoring can be done in real time of historically when real-time analysis is insufficient to identify trends or time-sensitive issues when certain network events occur.

LANGuardian is a leader in network traffic monitoring software. It is quick to install, easy to maintain and fully effective at monitoring the traffic on and around the perimeter of your network versatile. To find out more about LANGuardian, read our network traffic monitoring blog posts, contact us with any questions you have, or download a trial of LANGuardian today in order to evaluate our network traffic monitoring software free of charge in your own environment for thirty days.

How to detect SMBv1 scanning and SMBv1 established connections

Detect SMBv1 Scanning and SMNv1 active or established connections

Detect SMBv1 scanning and active or established connections

Detecting SMBv1 activity is a subject we have covered previously. It has been used as an attack vector for Ransomware and Cryptocurrency Mining. Microsoft has advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. At a minimum, you should make sure that all Windows systems on your network have the MS17-010 patch applied.

One of the easiest ways to detect SMBv1 activity on your network is to monitor network traffic going to and from your file servers. You can do this by setting up a SPAN, mirror port or use a network TAP. This will give you a copy of all activity going to and from the servers.

Once you have your data source which is sometimes referred to as wire data, you can use a network traffic analysis application like our own LANGuardian to extract the file and folder information from the network packets.

SMBv1 scanning vs established connections

There are two types of activity to watch out for when it comes to SMBv1 activity. Clients which are trying to use SMBv1 and clients which are successfully connecting to servers using the SMBv1 protocol. The latter is more serious as you actually have servers on your network supporting and using SMBv1. Microsoft recommends immediately removing this old and vulnerable file sharing protocol from all networks. The recent WannaCry and Petya ransomware attacks for example actually used the same SMBv1 exploit to replicate through networks.

  1. SMBv1 connection attempts or SMBv1 scanning. This is where a client sends an SMB request to a server and the version flag is set to v1. The server may or may not accept the connection request.
  2. SMBv1 connections. This is where a client and server have established a connection using SMBv1. You need to root out these first. At a minimum make sure the client and server are fully patched.

The video below shows an example of what to look out for once you get network traffic monitoring in place. A trial version of LANGuardian can be used to perform a quick audit if you do not have something in place already.

Video: Detect SMBv1 scanning & established connections

Why use network traffic as a data source to detect SMBv1?

By monitoring network traffic on your network you can get visibility of file and folder activity without the need for agents or log files. Agents can be difficult to deploy and scale and they become one other thing to update and manage. Log files do not always have the answer as they only report about local server issues.

Wire data which can be extracted from network traffic is instant and way more flexible than log data. This wire data can provide an audit trail of all network-based file and folder activity. Capture information such as:

  • List of IP addresses and host names which connect to network shares
  • Associated usernames so you know who did what
  • See how much bandwidth is associated with users accessing files and folders
  • Build an inventory of actions such as delete, read or rename including date stamp

Report on Traffic Between a Certain Source IP and Destination IP Address

Get traffic between a certain source IP and dest IP along with the time of the connections

Reporting on traffic between network devices

Recently one of our customers got in contact with this simple query.

I am looking to find out if it’s possible to get traffic between a certain source IP and destination IP along with the time of the connections.

They needed a historical report so there was no point in launching a tool like Wireshark as it would not report on the historical activity. As they have LANGuardian installed they have 24/7 visibility throughout their network. By utilizing a SPAN, mirror port or network TAP at strategic locations you can monitor network traffic you can spot abnormal behavioral patterns as they occur. But, critically for this use case, the LANGuardian retains rich network traffic metadata very cost effectively for long periods.

Network traffic reports

The image below shows a sample output from a LANGuardian IP search. Click on the image to access our demo where you can drill down on sample data. The element (1) shows the traffic between a certain source IP and destination IP which is what the customer was looking for. LANGuardian also shows what applications (2) were in use by this network device, suspicious events (3) triggered by the IP. In this case we can see that there was a Malware infection as well as some BitTorrent activity.

IP Search results

The image below shows the exact level of detail that the customer was looking for. We can see the traffic between a certain source IP and destination IP along with the time of the connections. The logged in user can also be shown as LANGuardian can integrate with Active Directory to capture usernames. Country flags are shown which is useful for forensics, this is made possible by matching IP addresses against a GeoIP database.

For this incident the customer wanted to look back 3 months. This is easy to select in LANGuardian by picking a specific time range from within the reports.

IP flow time selection from within reports
IP flows between IP addresses

Other uses for network traffic analysis

Network traffic analysis was traditionally seen as an operational tool. Something to report bandwidth usage on WAN and Internet links. However, it is an excellent data source for network security use cases including:

  • Internal and east-west traffic analysis
  • Ransomware detection
  • Automated threat hunting
  • Passive detection of weak ciphers and vulnerable SSL certificates
  • Report on insecure protocol use such as FTP and Telnet
  • Root out network devices scanning your internal networks

By monitoring network traffic on your network you can get visibility as to what is happening without the need for agents or log files. Agents can be difficult to deploy and scale and they become one other thing to update and manage. Log files do not always have the answer as they only report about local server issues. Wire data which can be extracted from network traffic, is instant and way more flexible than log data. It can provide high-fidelity user and application evidence to enhance your evolving security operations center (SOC).

The easiest way to root out SMBV1 on an Enterprise network

Root out SMBV1 from network

Just over 2 weeks ago, we received an inquiry from a large US multinational in the financial sector. They had a very specific requirement, ‘we want to know how much SMBv1 is still in use on our network and start the cleanup’. They had tried just turning it off and waiting for the calls to see who complained but they came and that didn’t work. So basically, they want to get a list of all file share servers accepting SMBV1 connection requests and ‘root it out’.

Makes sense, it is an old vulnerable protocol and recent attacks like Wannacry have demonstrated that it is common sense to ensure it is not in use. It also critical to prep and get as much visibility as possible into the servers still supporting it, and the clients using or depending on it before just disabling it and potentially have a serious impact on the business.

This organisation has a large and complex network, over 50k users and 12 data centres. As they have also acquired several other companies in their space which is not unusual, the network, software and applications are complex and diverse. Making any global change, even a simple upgrade across such a complex network of this size is not a trivial task, and of course, if it is not broken, still supporting the business, why risk it?

We arranged a webex and our demo focussed on this very specific use case. Every device, user and application on the network automatically leaves a trail, a traffic trail. There is no need to turn it ON, to enable logging or install a client. If they are active on the network they leave a trail. LANGuardian ‘sniffs’ this trail, usually via a tap, SPAN or port mirror and using its deep packet inspection engine, extracts application specific metadata for the most critical applications. It also enriches the metadata with usernames extracted using WMI from the logs of the domain controllers. We support a number of ‘critical’ applications, web, SQL, SMTP, BitTorrent, DNS, DHCP and SMB.  With SMB, for example, we extract information such as the client and server IP address, file and folder names and action.

One of the advantages of capturing data ‘off the wire’ is that one has the option or flexibility on selecting the specific details or data to look out for and store and report on demand. The initial SMB client-server negotiation, for example, includes the actual version the client requests and is looking for the server to support and communicate over. So, in the case of SMBV1 the client sends an SMBV1 connection attempt and then if the server supports it, it sends back an SMBV1 connection established. Luckily for us, we supported analysis down to this level, and could instantly show during the demo, all clients on the network initiating a SMBV1 connection request and the servers responding:

Network user SMBv1 actions

Using our report filters to query the database, one can get very specific and list only the servers on any part of the network responding to SMB1 connection requests with success and establishing a SMBV1 connection:

An example of SMBv1 connections on a network

All good so far, this covers the use case required, we have the level of granular detail. The final and most critical step is implementation, critical for such a large network. The system is very easy to use and requires minimum training, so we are good there. LANGuardian can be downloaded and deployed on standard server hardware VMware or Hyper-v. The download and installation, the configuration on the physical or virtual device requires less than 30 minutes, not bad.

The final and crucial step, especially for the network of this size and complexity is sensor placement, how do I see the ‘SMB traffic trail’ or all traffic to and from all file share servers on the network with the minimum number of sensors? Are all the servers in one VLAN and can I just mirror that VLAN for example? Or can I approach it from the client perspective and mirror the point or points in that data centre all clients connect in from? Where are all my file shares? I need to see all traffic to/from all file share servers in order to extract the SMB version information required.

To be investigated….to be continued.

How to Detect Cryptocurrency Mining Activity on Your Network

Detect cryptocurrency mining on your network using network traffic analysis

What is Cryptocurrency Mining?

Bitcoin or Cryptocurrency mining is the process by which Cryptocurrency transactions are verified and added to the public ledger, known as the block chain, and also the means through which new bitcoin are released. Anyone with access to the internet and suitable hardware can participate in mining.

The mining process involves compiling recent transactions into blocks and trying to solve a computationally difficult puzzle.  The participant who first solves the puzzle gets to place the next block on the block chain and claim the rewards.  The rewards, which incentivize mining, are both the transaction fees associated with the transactions compiled in the block as well as newly released bitcoin.

Cryptocurrency mining is painstaking, expensive, and only sporadically rewarding. Mining is competitive and today can only be done profitably with the latest ASICs.  When using CPUs, GPUs, or even the older ASICs, the cost of energy consumption is greater than the revenue generated.

Away from using specialized hardware, the most common way to mine cryptocurrency on standard hardware is to install Crypto mining client software and leave it running in the background. Cyber criminals can also use your computer to mine Cryptocurrencies by hosting Cryptocurrency mining hijacker on websites. If you visit the site without adequate virus protection your browser and CPU will be hijacked by the website operators.

What are the risks associated with Cryptocurrency Mining?

Only those with specialized, high-powered machinery are able to profitably extract bitcoins nowadays. While mining is still technically possible for anyone, those with under-powered setups will find more money is spent on electricity than is generated through mining. If you have clients on your network running crypto mining software then it is costing your business money.

Many cyber criminals now favor anonymous Cryptocurrencies, with Monero being the most prominent. Cryptocurrencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Cryptocurrency mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to detect Cryptocurrency mining activity on your network

When it comes to detecting Cryptocurrency mining, you need to be looking at multiple data sources.

  1. Analysis of all DNS client traffic
  2. Use IDS (Intrusion detection software) to detect specific text strings\patterns in network packets
  3. Monitor all IRC communications on your network

DNS query logs can be very useful when it comes to detecting suspicious activity or for use in follow up forensics. Searching DNS queries for text strings like bitcoin or crypto can be used to identify clients running crypto mining software. You can get DNS query information from DNS server logs or if you monitor network traffic going to and from your DNS servers.

Intrusion detection software typically uses pattern matching techniques to spot suspicious activity on a network. Applications such as Snort can be used to detect Crypto mining activity. You just need to make sure you install a well maintained IDS signature set such as those provided by EmergingThreats.

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in the form of text. Some Crypto miners use IRC but can be detected if they try an use IRC on a nonstandard port, IRC typically uses TCP port 6667.

Using LANGuardian to detect Cryptocurrency mining activity

Our own LANGuardian product uses a combination of network traffic analysis and IDS to provide visibility, context and alerts as to what is happening on a network. The following set of screen shots show how LANGuardian can be used to detect Crypto mining activity on a network. The primary data source would be a SPAN or mirror port which is monitoring all traffic going to or from the Internet. It is also advisable to monitor network traffic going to and from your DNS servers as this can also be used to detect Crypto mining activity. The video below shows how to use LANGuardian to detect Cryptocurrency mining on a network.

The follow image shows the output of a LANGuardian Network Events report which shows Crypto mining activity. The first event is associated with a Windows based (W32) Crypto mining client.  The second event is associated with a client visiting a compromised website that is hosting a Cryptocurrency mining hijacker. The third event in the report is reporting that something is using IRC on a non standard port. This may not be associated with Crypto mining but it is worth investigating.

Cryptocurrency mining IDS Snort events

The next image shows what IP addresses are associated with this activity. LANGuardian also includes an Active Directory module so you can drill-down to see what users are associated with this activity. In this example we can see that the Crypto mining is associated with a single client within the network and it is communicating with external systems hosted in the Netherlands and France.

IDS Drilldown

Next we take a look at the DNS activity associated with this client. If we filter on any domains containing the word coin we find that this client is also looking up numerous Bitcoin related sites. You can configure alerts on LANGuardian if you want to be notified about this activity. Alerts can be delivered as an email or as SYSLOG which can be then used to block the client via a firewall or NAC device.

DNS lookups associated with Crypto Mining activity

As I mentioned previously, you need to continuously monitor network traffic to have a reliable way to detect Crypto mining activity on your network. You can quickly get a data source in place by setting up a SPAN or mirror port to get a copy of all network traffic going to or from your Internet gateway. Once this is in place you can extend the monitoring to include traffic associated with your DNS servers. The video below goes through the process of getting network traffic monitoring in place.

How to monitor Internet traffic using a SPAN or mirror port

Find out if there is any Crypto mining activity on your network with LANGuardian. 30 day trial

Use the deep packet inspection engine of LANGuardian to report on Cryptocurrency mining use on your network. Real time and historical reports available. No need to install any agents or client software.

  • Captures web traffic via SPAN\Mirror port or TAP.
  • Integration with Active Directory so you can see who is doing what on your network.
  • Passive monitoring so no proxy, agents or client software required.
  • Supports monitoring of direct and proxy based web traffic.
  • Built in IDS based on Snort. IDS rule-sets are automatically updated hourly
  • GeoIP matching allows you to see the countries websites or clients are located in.

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to detect devices on your network running telnet services

Detecting Telnet Enabled Devices

Telnet. One of the oldest network protocols

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. Telnet was developed in 1969 and it is still widely used today for configuring network devices.

Telnet typically uses Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc…. This is important when it comes to detecting Telnet on your network, you cannot just go off looking for devices which are listening on TCP port 23.

Why worry about Telnet?

Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc…

A recent cyber briefing from the UK based National Cyber Security Centre (NCSC) recommends that you check your network for any devices running unencrypted management protocols such as:

  • Telnet
  • Hypertext Transport Protocol (HTTP, port 80)
  • Simple Network Management Protocol (SNMP, ports 161/162)
  • Cisco Smart Install (SMI port 4786)

If these services are in use the NCSC recommends the following:

  • Do not allow unencrypted (i.e. plaintext) management protocols (e.g. Telnet) to enter an organisation from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organisation should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
  • Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
  • Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. The NCSC and Department of Homeland Security (DHS) strongly advise owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
  • Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys.

Using network traffic analysis to detect Telnet activity

As I mentioned previously, Telnet normally runs over TCP port 23. However, you can configure Telnet to run over any port and so you cannot just watch out for network traffic running on TCP port 23. You must be able to monitor all traffic and pick out the Telnet traffic by using some form of application detection.

Wireshark is one of the most popular traffic analysis tools and has the capability to detect Telnet traffic as it has access to packet payloads which can be used for application identification. Flow based tools (NetFlow, SFlow) are not suitable for detecting Telnet activity as they are not application aware. Wireshark is fine for low network traffic volumes or if you have a PCAP file that you want to analyze.

If you want to get continous monitoring in place then you need to look at setting up a data source such as a SPAN, mirror port or network TAP. Once you have a data source then you need a commercial network traffic analysis system in place like our own LANGuardian. It has an application recognition engine which can report on any Telnet activity no matter what port it is running over.

Using LANGuardian to detect Telnet activity on your network

LANGuardian uses Content-Based Application Recognition (CBAR) to identify what applications are running on your network. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.

Typically you monitor network traffic at your network core where a lot of the most interesting traffic passes through. You then apply a filter so that you only show Telnet traffic.

The image to the right shows how you can use the LANGuardian Applications in Use report filter to focus in on Telnet activity. This can then be saved as a custom report if you want to add it to a dashboard or get an alert if Telnet activity is detected on your network.

Telnet application filter

A sample output of this Applications in Use report is shown below. Here we can see that some Telnet activity has been detected.

Telnet applicaton detected

Drilling down on this Telnet traffic then reveals that Telnet services are active on two seperate ports on a single server as you can see in the image below. LANGuardian can also alert you if a new server port becomes active which is useful for watching out for new activations of Telnet services on your network.

Telnet sessions

You can download a 30 day trial of LANGuardian from here and use it to detect any device running Telnet services on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity at your network edge and east west traffic moving within your network.

How to detect weak SSL/TLS encryption on your network

SSL/TLS encryption

Weak SSL/TLS encryption. Why worry?

A Google search for “GDPR countdown clock” yielded 18,900 results for me this morning so probably the last thing we need to consider is another countdown clock, but here is one for PCI compliance anyway.

The clock highlights 30 June 2018,  an important deadline for online security and network Administrators; a date from which older versions of TLS and all SSL should be confined to history for PCI compliant networks. From 30 June 2018, to be compliant with PCI DSS 3.2, SSL and “early versions” of TLS protocol should be eliminated from use (with some exceptions for POS terminals). This is because PCI requires the use of “strong encryption” and known weakness in all SSL, some TLS versions and some cipher suites mean they fail the ‘strong encryption’ standard.

“Early TLS” is defined as anything before TLS 1.1; however TLS 1.1 is also vulnerable as it allows use of bad ciphers; so TLS 1.2 is a better choice. Along with this version change, the ciphers that are used by SSL/TLS need to be carefully managed too. The ciphers and the SSL/TLS protocol versions are separate, but not completely independent of each other.

Even if you don’t care about PCI compliance, this is important for all networks running SSL/TLS; that includes your own networks, partner or client networks, that interact with your infrastructure. GDPR regulations (article 31) require use of “state of the art” technical and organisational measures to ensure security. While the GDPR language lacks specifics, we can look to PCI 3.2 and NIST guidelines (800-52 Rev 1) which strongly recommend use of TLS1.2 only, to know that SSL, TLS1.0 and TLS1.1 are not state of the art, and so fail the GDPR test. The NIST draft for 800-52 Rev 2 explicitly prohibits use of TLS 1.1.

What’s the problem, SSL provides encryption doesn’t it?

Since the mid 1990’s, SSL/TLS encryption has underpinned much of online security and is the defacto choice for encrypting our web based online shopping and payment transactions. SSL/TLS keeps our transactions private and unaltered. However, researchers and attackers have identified and published weaknesses in the aging versions of the protocols, from SSL2.0, SSL3.0, TLS1.0 and TLS1.1. and in the ciphers that they use. There are three sources of weakness here to be aware of:

  1. Some weaknesses are in the protocol implementation itself, for example Heartbleed exploited a read buffer overflow in OpenSSL’s implementation of in the heartbeat extension. This allowed attacking clients to read private key information from the server.
  2. Other weaknesses are in the ciphers supported SSL/TLS. For example, increased computation along with the increased volumes of data being transferred, mean that 3DES cipher can be compromised in about 1 hour, using the Sweet 32 attacks. RC4 can also be compromised by brute force attacks. These weaker ciphers are supported by all versions of SSL/TLS up to version 1.2. However, newer. stronger ciphers such as AES are only supported by newer versions of SSL/TLS. So, use new version of TLS to enable use of stronger ciphers.
  3. Weakness in the protocol itself

Even if properly implemented, according to the spec, with good ciphers, TLS1.1 is still vulnerable. The PRF (pseudorandom function) is based on broken cryptographic hashes MD5 or SHA1 and its use of ciphers in CBC mode is insecure.

There are no available fixes for these weakness, so the only avenue to remain secure is to use the newer more robust versions.

TLS1.3, the newest, most secure version of TLS resolves the known weakness with the protocol, prohibits use of weak ciphers and has a much shorter setup time. TLS1.3 was in draft form when PCI 3.2 was adopted, so it isn’t mentioned in the PCI 3.2 document (TLS1.3 was formally adopted in March 2018. Mandating use of TLS1.3 at this stage could lead to interoperability problems).

Using Network Monitoring for SSL/TLS analysis

There are various techniques for identifying the SSL/TLS versions and ciphers that servers will support, such as nmap or just running Openssl from the command line. However, this requires that periodic checks are carried, the full inventory is always known, and you have access to scan the network. The PCI Security Standards Council emphasise the important of ensuring adherence to standards at all times and not just once per year to close audit requirements!

Continuous adherence is just good business and security practice and essentially points to continuous monitoring, rather than scheduled pen testing efforts. If you monitor network traffic within your network and perform packet analysis at session startup time, it’s possible to view the SSl/TLS versions and cipher used, as well as the certificates used on encrypted protocols (excluding TLS 1.3) .

You can do this without any access to the servers (i.e you can do it from the client or partner network) and without terminating any of the SSL/TLS sessions (i.e you don’t have to use man in the middle devices). This is possible as the opening salvos in SSL/TLS session establishment happen in the clear. The protocol negotiation, cipher choice and certificate exchange are all readable. Add to this the Server Name Indication (SNI) extension and a packet monitoring application can extract a lot of useful information about the nature of encrypted sessions on the network.

LANGuardian 14.4.1 includes features that are useful for monitoring the status of SSL/TLS on your network.

NetFort LANGuardian is deep-packet inspection software that monitors network and user activity passively via a SPAN\Mirror port or TAP. Here are a couple of use cases which cover how it can be used to detect the use of weak SSL/TLS encryption on your network.

The first is an inventory of SSL/TLS servers. Built from passive traffic analysis, this shows every SSL/TLS server, that has generated traffic on the network. The server can be internal or external (e.g a HTTPS website). The inventory report for each server shows some details of the server certificate, with expiry date and signature algorithm. It also shows the SSL/TLS protocol versions that the server has used to communicate with clients. Issues are highlighted in red, such as expired certificates or weak certificate signature algorithms, such as SHA1. A set of filters help identify conditions, such as use of SHA1 and help identify servers that need configuration or updates.

Filters for reporting on SSL/TLS Sever Inventory

Filters for reporting on SSL/TLS Sever Inventory

Report on a single SSL server, showing expired certificate, weak protocol used, weak SHA1 algorithm

Report on a single SSL server, showing expired certificate, weak protocol used, weak SHA1 algorithm

The other feature is a report on all the SSL/TLS sessions that have occurred on the network. This report (and its drilldowns), identifies all clients and servers that use SSL/TLS encryption, identifying the version of SSL/TLS used and the cipher that is used. Filters can be used to focus on versions of SSL/TLS, identify where SSL3.0 is used for example, or identify where any communication occurs that does not use TLS1.2.

Report showing use of weak SSL/TLS versions

Report showing use of weak SSL/TLS versions

Report drilldown showing cipher used by weak SSL3.0 session

Report drilldown showing cipher used by weak SSL3.0 session

A filter is also provided for the ciphers that are used. Ciphers suites have a specific naming scheme, which identity various attributes of the cipher used, viz:

TLS_KeyExchangeAlg_WITH_EncryptionAlg_MessageAuthenticationAlg.

For example, the cipher TLS_RSA_WITH_AES_128_CBC_SHA

is for use with TLS, using RSA for key exchange, AES 128 bit encryption, with SHA digests.

Report showing use of 3DES cipher

Report showing use of 3DES cipher

Filter support for SSL/TLS Versions and Ciphers

Filter support for SSL/TLS Versions and Ciphers

The list of supported ciphers for various versions of SSL/TLS is extensive (many hundreds) and there’s a balance between security and interoperability to consider when choosing which ciphers should be supported. Recommendations generally are to avoid RC4 and 3DES.

Continuous Network Monitoring is a useful tool for ensuring your network is operating to whatever standards or compliance regulations the you are required to adhere. Without using man in the middle decryption devices, it is possible to learn about the activity on your network.

Video Guide: How to detect weak SSL/TLS encryption on your network

You can download a 30 day trial of LANGuardian from here and use it to detect the use of weak SSL/TLS encryption on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity at your network edge and horizontal traffic moving within your network.

How to detect new server ports in use on your network

network servers

What is a server?

In client-server processes that use Transmission Control Protocol/Internet Protocol (TCP/IP) or User Datagram Protocol (UDP), the client initiates communication with a server through one of the many well-known ports. In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for physical devices, in software it is a logical construct that identifies a specific process or a type of network service. For example, HTTP traffic typically uses TCP port 80.

What makes a server is that it is the one that accepts a connection from a client. Typically, this port is left open or running so that clients can connect at any time. It is good security policy to restrict the number of ports which are open on a server. Each open port is a way to gain access to that server. In recent times several Ransomware variants spread around networks by exploiting a vulnerability in SMBv1. Infected clients searched for any host with TCP port 445 active and then tried to communicate using the SMBv1 protocol. The image below shows the handshake that makes up a TCP connection request.

TCP three way handshake associated with server ports

Why worry about new server ports?

As I mentioned previously, opening new ports on a server increases that servers attack surface. Keeping the attack surface as small as possible is a basic security measure. New ports become active if you install new software or if you enable a new service on the server. Enabling something such as RDP (remote desktop protocol) can compromise the entire server and provides a way for data to be transferred off.

For important servers on your network you should have an inventory of what applications or services are running so that changes can be detected. You can do this by constantly polling the server on every port number or monitor network traffic going to and from the server. The polling method can be problematic as you will need to constantly bombard the server with connection requests and you may miss something if the application or service was only active for a short time.

If compliance standards such as GDPR are a concern then server monitoring is not just a nice to have, it becomes mandatory. You must maintain an inventory of who is connecting to what if you store sensitive or personal data.

Detecting new server ports by monitoring network traffic

If you monitor network traffic going to and from your important servers you can build up an inventory of what ports are open without the need to interact with the servers. One way to do this is to use a SPAN or mirror port to get a copy of the network traffic going to and from your servers. You would then need a network traffic analysis tool such as LANGuardian to process this data and extract the relevant metadata from the network packets. The image below shows an example of what would be required. The four servers can be monitored via a single SPAN or mirror port.

network diagram showing how you can monitor network traffic

Detecting new server ports with LANGuardian

Once you have your SPAN or mirror port in place and you have a LANGuardian installed monitoring the network traffic you can start to build up an inventory of new server ports. Type “server ports” into the search field at the top of the LANGuardian web interface and select “Network Events (New Server Ports)“. Pick a date range and then see if any new server ports became active during the selected time period. The image below shows a sample of the report output.

LANGuardian Network Events (New Server Ports) report

The report contains a number of fields

  1. Sensor: LANGuardian can process traffic from multiple network points via remote sensors. The sensor field shows which sensor detected activity on the new server port.
  2. Server address: The network device which is accepting client requests.
  3. Port: Which port the server is listening on. Some ports will be labelled.
  4. When detected: The date and time when communication was first detected.
  5. Server reply: This is section of the servers reply to a client. In some cases it is human readable in others it is just a binary string of random characters.

The video below shows an example of this report in action.

How To Detect Unauthorised DNS Servers On Your Network

Detecting unauthorized DNS servers to prevent DNS poisoning

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the

In both of these cases the attackers change your DNS server from 8.8.8.8 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

A LANGuardian report showing unauthorised DNS server use

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

  • 192.168.127.22 (hosted internally on network)
  • 8.8.8.8 (google1)
  • 8.8.4.4 (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Unauthorised DNS servers alert configuration

Once the rule is saved it will look like this on the LANGuardian alerts list.

LANGuardian DNS Alert Rule

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

A list of unauthorised servers detected on the network using network traffic analysis

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

Find Out What DNS Servers Are In Use On Your Network

Use the deep packet inspection engine of LANGuardian to report on what DNS servers are in use on your network. Real time and historical reports available. No need to install any agents or client software.

  • See what DNS servers are in use
  • Generate alerts if  a network device uses an unauthorised DNS server
  • Capture DNS metadata so you can troubleshoot DNS issues and perform forensics on past events.

All analysis is done passively using network traffic analysis and you will see results within minutes.

Tracking Down New Devices After The Holiday Season

Tracking wireless devices on network

New Devices = New Year Challenges

As 2017 draws to a close I would like to take this opportunity to wish all my business and Infosec contacts a Happy Christmas and best wishes for the new year. It is also the season for exchanging gifts and the top of many peoples list is a new phone, tablet or some other IoT gadget. It is amazing what you can get for so little now. I just watched a video about an Android powered smartwatch that comes with a SIM slot, camera, touchscreen, access to Play Store plus many other features and you get all this for $12.

The challenge that these devices brings is that they may end up on corporate networks. No big deal you may say but all it takes is for one compromised system to bring down your network with a malware infection. The portability is the problem, users walk past your firewall with their shiny new device and suddenly you have a problem inside your network.

Another issue is the potential bandwith grab that new devices bring. Many will need updates and as soon as they get on a network with lots of bandwidth they start downloading updates. Some of these can be over 2GB in size which can swamp WAN or Internet connections.

How can you detect new devices on your network?

One of the best ways to detect new devices on your network is to monitor network traffic going to and from a number of key points including:

  1. Internet gateway
  2. Internal interfaces of proxy servers
  3. DHCP queries
  4. DNS queries
  5. Network interfaces going to WAN routers

One of the easiest ways to monitor network traffic is to use a SPAN, mirror port or TAP. These allow you to get a full copy of network traffic as it passes through a switch. The main thing to remember is that you don’t need to monitor every port on your network, just focus on the ones I have listed above.

Once you have a traffic source in place you then need to extract certain information from the network packets which will allow you to report on new network devices. For the purposes of this blog I am going to use our own LANGuardian system and it can extract device metadata from the packets. The video below details the steps neccessary to monitor Internet traffic and you can extend this to include other network points.

Monitoring Internet Traffic. Proxy & Direct

One of the richest sources of data when it comes to monitoring new devices is Internet traffic. Most wired and wireless devices try an access external services to download updates or to send and receive data to cloud services. Buried within this data will be certain pieces of metadata which can reveal what devices are on your network.

The image below shows an example of metadata captured from Internet traffic which is then used to build up an inventory of what devices are connecting to your network.

Monitoring DHCP Requests

New devices connecting to your network will normally send out a DHCP request so that it can get an IP address which it then uses to communicate. If you monitor these DHCP requests you can start to build up an inventory of what devices are connecting to your network. The screen shot below shows an example of what you should be capturing. Here you can see the device MAC addresses with associated hostname and IP address. An alert can be triggered on LANGuardian if the MAC address is new so you know when a new device connects to your network.

DHCP Requests

Monitoring DNS Queries

Once you start to build an inventory of what is connecting to your network, you should also try and capture some associated data. A good example would be to capture all DNS queries that devices on your network are sending. These queries can reveal a lot about what the devices are doing and what sort of applications they are running. In the example below we can see that there is a device active on our network and it is running cloud apps like WhatsApp and GMail and it is running the Township game.

Monitoring network interfaces going to WAN routers

As I mentioned previously, wireless\IoT devices can consume large volumes of bandwidth. Businesses can be impacted if users in remote sites start complaining that the “network is slow” and all it takes is for one device update to swamp a link. Make sure you are monitoring what applications are using your bandwidth.

An easy way to do this is to monitor the network interfaces on your WAN routers with a product like LANGuardian. It can also associated network activity with usernames so you know who is doing what on your network. A sample of this username integration is shown in the image below.

Top network users

Find Out What Devices Are Connecting To Your Network

Use the deep packet inspection engine of LANGuardian to report on what devices are connecting to your network. Real time and historical reports available. No need to install any agents or client software.

  • See what devices are connecting to your network
  • Generate alerts if a new device connects
  • Capture associated metadata for forensics

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Passively Detect VPN Clients on Your Network

How to detect the presence of VPN clients

Why worry about VPN clients?

VPNs have been around for a long time. A VPN extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

If you use public WiFi networks such as those found in airports and cafes then it is recommended that you use a VPN service. A VPN will ensure that all of your communication is encrypted.

However, there are times when VPN activity is suspicious and/or bad. I see an increasing amount of VPN actvity on college\school networks. In most cases end users are using a VPN to get around a web filter or use a blocked application such as Bittorrent. A VPN will also punch a hole in your firewall and it may become a route for nasties such as Ransomware.

“A VPN client will punch a hole through your firewall”

Common uses for VPN clients

Good

  1. Site to site connectivity where a branch office can connect to HQ via the Internet
  2. Allows remote workers to connect to HQ
  3. Encrypts your data when you are on a public WiFi network

Bad

  1. Bypass web filters (some may not see this as bad)
  2. Allows you to run applications which are blocked
  3. Create a hole in a Firewall which may become the source of a Malware infection
  4. Can be used for data exfiltration

How to detect VPN clients on your network

VPN clients can be difficult to detect as they typically use a port such as 443 over UDP or TCP which is normally open on a firewall. However, there are a number of things to watch out for. First we need to understand how the most common VPN clients work.

Most VPN clients come as a software pack which include the actual VPN software and a database of VPN servers. The idea is that everything you need is included when you install so you don’t need to access a specifc website to connect to anything. If you did it would be easy to block access to these websites. This makes it hard to detect VPN clients if you are looking at reports from something like a web filter.

Once you select a VPN server, an encrypted connection is created between your client and the VPN server. All of your Internet bound activity is then routed through this VPN connection. If you want to browse a website for example, the VPN server connects to the website and sends the text\images\media back to you via your encrypted connection. This is what makes them secure, someone ‘sniffing’ your local traffic can’t see what you are accessing.

How VPN works

In summary, a VPN client makes a direct connection to a VPN server and this server then does the job of accessing what service\application your requested. This differs from users connecting to websites or applications directly. For example I may go and visit YouTube using a web browser. When I type in YouTube.com my computer will go and resolve this name to an IP address using DNS. Computers use IP addresses to connect, not human readable names.

In order to detect VPN clients on a network, we need to watch out for any client sessions where there is client to server connections with no DNS resolutions. To do this you need to monitor network traffic going to and from your Internet gateway and you also need to monitor DNS traffic hitting your DNS servers if you host them locally.

Detecting VPN Clients

  1. Monitor Internet traffic
  2. Monitor DNS queries
  3. Watch out for client connections to external hosts with no name resolution

What you need to watch out for is any sessions to external IP addresses which have no hostnames associated with the server. If the connection is over TCP or UDP port 443 then you are probably looking at VPN client activity. The image below shows an example of what to watch out for if you want to detect VPN clients. The first client listed is connecting directly to an IP address as no hostname is shown. The other connections are to Googlevideo which are part of the YouTube service.

Report showing a VPN client connecting to an external VPN server

Check out the video below to learn more about how you can use our LANGuardian product to detect VPN clients.

Do you really need ‘Artificial Intelligence’ for actionable alerts

Alert image

Using Traffic Analysis as a Data Source

As we have mentioned numerous times in our blogs, Network Traffic Analysis or (DPI) Deep Packet Inspection is a very flexible technology. It can be used for many use cases including continuous monitoring of user and device activity, reporting, forensics, analytics and of course troubleshooting of everyday  problems. One of the benefits of using a DPI engine to analyse network traffic flows, is the rich application specific detail and context, metadata that can be extracted and presented in real time or stored for forensics. Data ideal for many IT security and operational use cases.

DPI can sometimes be seen as a ‘complex and expensive technology’ only suitable for large enterprise, but not with the latest engines as found in the NetFort LANGuardian. The basic principle of the LANGuardian engine is to get the engine to do all the ‘heavy lifting’, reassembly, analysis, alerting thus making it very easy to use and read, ideal for all skill levels across organisations of all sizes with minimum training.

Actionable Alerts That Our Customers Requested

Recently we have been asked by our customers to generate real time alerts on various network and user activities that are critical to them. Examples, in the customers own words include:

  • US Manufacturing company
    • ‘Alert if a user or device generates more than x GB of data over a given time?’
    • ‘Alert if certain file types are detected (e.g. mkv files)? ‘
  • Large EU University
    • ‘Alert when a machine on our network is maliciously scanning 100,000’s of IP addresses across
      the globe. ‘
  • EU Online retail company
    • ‘Any internal ip address making a connection to an external ip where the connection (TCP/UDP) was not preceded by a DNS query that returned the external ip’
  • EU Government organisation
    • ‘Alert on any web accesses not via the proxy server’
  • US City Council
    • ‘I’m trying to figure out the syntax for a rule to detect when the BitTorrent protocol is detected’
    • Oct 2016 ‘ Detect SMB1 traffic Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.’
  • US Law firm
    • ‘Alert if a lawyer uploads huge files to our shared server within a short period of time using up all our space’

Some seem very obvious, simple but on closer examination, most make sense. Also, it is interesting to note that most customers do not request that many, maybe because they are already flooded with false positives and find it almost impossible to actually spot the real actionable alerts.

Machine Learning

I had a chat with a customer last week who purchased a pretty well known ‘machine learning’  based network security products 6 months ago, when he mentioned the product name, I was very curious and asked how it was going. ‘Nothing yet, 6 months of false positives, but you know, it is still learning’. So now not alone have they invested a lot of time and money in purchasing and implementing a product but it is also costing them time wise every day, as it giving them even more false positives to investigate!

Actually, a small number of our customers who requested the alerts included in the list above have recently implemented some expensive ‘Machine learning’ based security products. We started discussing it here internally and it got us wondering about the massive hype by vendors, analysts etc, around machine learning with respect to security. What is really driving it ? The lack of skilled security analysts is definitely one factor, big data another, but another one is surely the current set of overly complex and expensive security products ? And maybe he venture capitalists who have invested huge amounts of money in companies developing this technology, many of whom are struggling with sales ?

Developing Our Own Alerting Engine

We are putting huge focus on the usability of our alert engine, make sure it is as easy as possible to define the rules that generate real actionable alerts, not false positives, the alerts important to the user, the organisation, the business.

Of course, sometimes the simple and best ones are not that easy to implement. For example, as in the case of a lack of a DNS query require context/state and some understanding of the protocol in use in order to generate an alert. As mentioned by one of our engineers, some are also somewhat vague and require more detail. It may also be that some do not require an instant alerts, a simple email sent to the administrator each morning may suffice.

It will take time to get right, some tuning, knowledge of the network etc. Ease of use, readable data, is a must otherwise it will never work. These are basics some security vendors simply do not pay enough attention to but instead spend a lot of time and money on graphics and web interfaces designed by gamers, dark constellations which look fantastic but when you start to look at the detail, looking for actionable intelligence, you start thinking what is this really telling me ?

There are many common and critical threats or ‘bad’ network and user activities that do not require sophisticated artificial intelligence or machine learning.  Most organisations do not have the resources to monitor various dashboards to actually try and detect suspicious activity in real time,  but simply want a real alert with some readable context and data to understand what the alert is actually telling them.

Where to Start

Is it not common sense, start small, work the basics. Use a network traffic analysis for example to monitor internal activity and get the visibility you need to understand what is happening on your network. Modify your ‘active’ systems for example your firewall, to get rid of everything that could widen your attack surface and then add alerts, one by one, to ensure you are immediately notified the next time.  Use forums, blogs, your own network to keep in touch and build and update your own alert set. Add them one by one, you will be amazed with the size of your list after a few months and the lack of false positives.

Did Any Zombie Creep Into Your Network During Halloween?

zombie on network

Network Zombies

Now that Halloween is behind us we can put away the scary decorations and funny costumes. It may also be a good time to check our networks for zombie hosts or users. They can take many forms

  1. Clients infected with Malware which form part of an external botnet
  2. Faulty equipment which may be generating excessive broadcast traffic
  3. Rouge IoT devices eating bandwidth
  4. External clients scanning your network perimeter and exploiting firewall holes
  5. Misuse of network resources by one or more users

Infected Clients

Many networks have lots of security devices at the network edge. From Firewalls to IPS type systems, securing the perimeter has been a priority for many IT managers. The trouble is that while this is a good thing to do, malware can still get in and unless you are monitoring what is going on inside your network you may be at risk. A user may bring in a USB stick laden with Malware for example and walk past your firewall.

I recently read about this network breach where unauthorized software was found on a server and it may have led to data loss. Some time ago I installed a trial version of our LANGuardian product onto a network and we found a client sending over 10,000 SPAM emails per hour. The interesting thing here was that the user of the computer was not complaining and an antivirus scan did not find anything. In the end the IT manager had to get the system reinstalled.

One way to find out what is happening on your internal network is to monitor network traffic moving through your core switch by setting up a SPAN or mirror port. Network traffic is an excellent source of user and application information. Once you have your data source in place a combination of network based intrusion detection and metadata analysis will root out any suspicious activity.

The image below taken from our own LANGuardian system shows an example of what to look out for. Events such as ET MALWARE Win32/InstallCore Initial Install Activity 1 or ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 need to be investigated and the associated clients need to be removed from the network.

Network based IDS

Faulty Network Equipment

Technology can be wonderful when it works but when something goes bad it can be a nightmare to figure out what went wrong. A few years back there was massive disruption to air traffic at Dublin airport when a network card went faulty and caused the breakdown of a radar system. Our support team here worked with one of our own customers a while back when a faulty IP phone brought down an entire network segment by sending out large volumes of broadcast traffic.

Make sure you have some sort of internal traffic monitoring in place and watch out for what systems are sending large volumes of broadcast or multicast traffic. In other cases you may need to look at switch interface counters such as collisions or CRC rates. The image below is from our LANGuardian product and show a sample report which is the top clients associated with broadcast traffic. Any devices associated with hundreds of megabytes of broadcast traffic would need to be investigated.

Rogue IoT devices

Almost everything in today’s world is connected. From light bulbs to fridges, many devices now want to share data and metrics. However, this IoT world is not without its challenges. Recently security researches uncovered a botnet called Reaper which may have infected over 1 million networks.

IoT Botnets are Internet connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements.

You need to be aware of what is connecting to your network. One way to do this is to monitor all traffic going to and from your DHCP and DNS servers. This can reveal a lot about what is connecting to your network and what they are trying to get to. The images below from our LANGuardian product show how metadata captured from DHCP and DNS traffic can used to get an inventory of what is on your network.

If you do have IoT devices on your network, you need to make sure they are fully patched and not using any default passwords.

External Clients Targeting Your Network

As I mentioned previously there are large botnets out there ready to target unsuspecting businesses and organizations. If you re unlucky enough to be targeted you could be on the receiving end of large DDoS attack. Typically NTP or DNS traffic is used to overload your Internet gateways resulting in a loss of connectivity for internal and external clients. Make sure you are monitoring all traffic at your network edge especially the levels of UDP based protocols such as NTP or DNS.

Also watch out for any external clients scanning your network looking for open ports on firewalls. Common scans would be on RDP (TCP 3389), SSH (TCP 22) or SQL (1433). You need to take action if you see any connections on your internal network from clients which are outside the network. Either block the external IP address or shutdown the port they are using on your firewall. Don’t forget to carry out a forensic investigation on any incidents and see if any other client was targeted inside your network.

The image below from our LANGuardian product shows and example of what to watch out for. Here we can see an external IP which is registered in Russia connecting to servers on the local network over TCP port 445.

Rogue Network Users

Sometimes a network user can go bad. Maybe they install an application such as Bittorrent and hog all of the Internet bandwidth or maybe someone accidentally or deliberately deletes data. Can you track down all activity by username? One way to do this is to capture user logon information from Active Directory and use this to match it to IP addresses so you can see who is doing what.

The image below from our LANGuardian product shows a sample user report which lists the top users active on the network based on data downloaded or uploaded. You may want to consider getting alerts if users go above certain levels.

Root Out Zombies on Your Network

Use the deep packet inspection engine of LANGuardian to continuously monitor user and device activity and root out any zombies on your network. Real time and historical reports available. No need to install any agents or client software

  • Built in intrusion detection system
  • GeoIP reports allow you so see what countries are connecting to your network
  • AD integration associates usernames with network activity

All analysis is done passively using network traffic analysis and you will see results within minutes.

QUIC Protocol Detection Now Available in LANGuardian

QUIC Protocol

What is the QUIC Protocol?

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC aims to be nearly equivalent to an independent TCP connection, but with much reduced latency.

The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol. Some reports suggest that QUIC now accounts for more than 5% of Internet Traffic. Other browsers such as Opera version 16 and above also support the QUIC protocol but don’t have it enabled by default.

How to detect QUIC protocol use on your network

The most reliable way to detect QUIC protocol use on your network is to monitor network traffic at your network edge. Our LANGuardian product can use this data source to look at packet payloads and identify what protocols are in use. The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge.

Once you have your LANGuardian in place you need to click on Reports \ Top Protocols. In my case the QUIC protocol account for 78% of bandwidth use.

Drilling down on this we can then see the Googlevideo domain and the usernames associated with this activity. Googlevideo is the domain Google use for streaming YouTube content.

Drilling down on QUIC traffic

Upgrade your LANGuardian to enable QUIC detection

QUIC detection was added to LANGuardian version 14.3.2. If you are a customer you must upgrade to this or higher version. Click on the gear symbol top right, then settings \ LANGuardian software upgrade. Your LANGuardian must have Internet access to check for and download the latest version.

If you are not a LANGuardian customer then you can download a 30 day trial and see within minutes how much bandwidth the QUIC protocol is using on your network.

How to Detect BitTorrent Traffic on your Network

Monitor Bittorrent Traffic

What is BitTorrent Traffic?

BitTorrent is a communication protocol for peer-to-peer file sharing (“P2P”) which is used to distribute data and electronic files over the Internet. It is most famous as a method for downloading copyrighted material such as movies and music. However, it can be used for software delivery and Microsoft have some P2P capabilities built into Windows 10 for distributing Windows updates.

When it comes to monitoring BitTorrent traffic you need to understand how the protocol works. It is not like a traditional download, where you download everything from a single link or IP address. Instead, you download pieces from other clients (peers) and the management is looked after by trackers or more commonly Distributed Hash Tables. Every download has an associated INFO-HASH value which is unique to it and this is an important piece of data when it comes to identifying BitTorrent traffic.

Capturing BitTorrent Traffic

There are multiple potential data sources if you want to monitor BitTorrent traffic on your network.

  • Monitor network traffic at your network edge using a SPAN, mirror port or TAP
  • Flow records such as NetFlow or IPFIX
  • Firewall logs

The most reliable source is network traffic as “packets don’t lie”. Flow records will not capture metadata such as INFO-HASH values, so you will never know for definite that traffic is associated with BitTorrent activity. Firewall logs may indicate the presence of BitTorrent, but they are not designed as a forensics tool to store long-term records of all traffic and application information.

The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge. With a tool like LANGuardian connected to this, you can identify BitTorrent traffic and capture important metadata such as INFO-HASH, IP addresses, external clients and file names.

Analyzing BitTorrent Traffic

When it comes to analyzing BitTorrent traffic you need to be watching out for these applications:

  • BitTorrent DHT Tracker
  • BitTorrent Peer Traffic

Once you detect these applications on your network, you need to capture certain metadata so you don’t need to store every packet which can be expensive. The image below shows the output of a LANGuardian BitTorrent analysis report. Note how you can see the network user, IP address, INFO-HASH and file name.

Bittorrent Traffic With Usernames

If the download is associated with a private tracker you may not see any filenames. In that case you should look at the destination IP addresses as they can reveal a lot about the applications associated with the Bittorrent traffic. In the image below we can see that there is some Bittorrent activity associated with a client and looking at the destination IP addresses it would appear that the user has the uTorrent application installed.

Private Bittorrent Tracket

Tracking BitTorrent Traffic on Your Network

Download a free trial of LANGuardian today, if you would like to check for any BitTorrent activity on your network. It comes with a fully featured BitTorrent reporting engine together with Active Directory integration, so you can associate network activity with usernames.

Why a CCTV type system is a necessity for Monitoring Network Traffic

CCTV for computer networks

Why monitor network traffic?

The recent Equifax security breach resulted in hackers getting their hands on the sensitive personal information of 143 million American consumers. The breach lasted from mid-May 2017 through July 2017. The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information from about 182,000 people; they also grabbed personal information of people in the UK and Canada.

This information was not carried in briefcases. It left the organization as a payload in network traffic, mixed in with the massive amounts of legitimate traffic that would have left Equifax during the hacking period. While it is good practice to have firewalls and threat detection systems, many of them rely on known signatures of exploit attempts. This approach fails if you are targeted with something new, or if your security applications are missing detection capabilities for a specific type of attack. This is one of the main reasons why you need to constantly monitor network traffic leaving and entering your network.

What is a CCTV system for monitoring network traffic?

When I talk about a CCTV type system for monitoring network traffic, I usually give this analogy. When we want to protect physical buildings, we invest in locks, gates, walls and other physical barriers to protect our property and physical assets.

We also invest in CCTV systems so that if there is a break in, we can see what is happening in real time and get recordings so we can look back over events. If you have a breach, it is important to know what happened so that we can make changes to prevent further breaches happening in the future. CCTV systems can also alert if someone enters a premises outside of normal working hours.

Monitoring network edge

Too often in the digital world, we forget about monitoring tools. Senior management often sees them as a ‘nice to have’ as there is no obvious payback. It is easy to get seduced into spending IT budgets on fancy firewalls and threat prevention systems as they can take an action. However, the Equifax hack has reminded us that we need eyes on our networks 24/7 and we need to keep historical records of who is connecting to what so that we can go back and see how someone hacked into our network.

network flows

A CCTV system for network traffic can be based on flow or packet analysis. If you use managed switches or if you have a router, you will have a data source. From this analysis, you need to be capturing information such as:

  • True application names as you cannot rely on port labels
  • Resource (URI) names
  • HTTP header fields
  • Web client information
  • DHCP data such as IP addresses, MAC and host-names
  • SMTP metadata such as email addresses and subject lines
  • BitTorrent Hash values
  • DNS SPAM detection
  • SMB and NFS metadata
  • Ingress and egress IP flows including IP addresses and port numbers
  • Associated GeoIP details
  • Packets counts
  • IP flow counts
  • Detect application layer attacks
  • Associated usernames
  • Accurate web domain names from DNS, HTTP or HTTPS traffic analysis

One of the most important things is that you get both a real-time and historical view of this data. Most network monitoring applications do real-time monitoring. Some do historical reporting but may age and compress data to cut down on disk usage. This is not ideal, as you will want to store as much detail as possible so that you can investigate historical events. Make sure you choose a forensics or monitoring application that retains all information captured.

Integrating IDS (Intrusion Detection System) and traffic analysis are also beneficial. This allows you to detect known attacks as well was providing extra context like what connections were made and if the attackers targeted any other systems on your network. You will only get good threat detection with packet analysis, flow (NetFlow, IPFIX, etc) will struggle as they don’t look at packet payloads.

Your monitoring tool needs to be independent of edge equipment

Many firewalls now come with advanced logging and reporting capabilities. On paper, they tick boxes for both prevention and reporting. However, if your network is under attack you may find that these logs become inaccessible.

Some time ago I attended a JANET conference in the UK. A number of universities had been targeted with DDoS attacks. Many network managers spoke about how they struggled to understand what was happening, as their firewall logs were inaccessible or were filling up so quickly it was difficult to get an overall view of where the DDoS traffic was coming from. One of the recommendations from the conference was to ensure your monitoring tools were independent of edge devices such as firewalls or routers.

Don’t wait for a breach before investing in monitoring tools

The worst way to implement monitoring tools is to do so in the middle of an attack. You will never capture all the information you need and you may be rushed into buying tools that don’t address your requirements. Get something in place ASAP and use the CCTV analogy when discussing with senior management.  In today’s world, you need to be watching over your network 24/7.

Game of Thrones, Dragons and Network Visibility?

Network VIsibility

There once existed vast unexplored areas of the oceans that in apocryphal sea charts were marked off and labeled ‘Here be Dragons’; meaning no-one knew what was there, but the suspicion was, it couldn’t be good.

This week there’s talk of dragons of a different hue – for Game of Thrones fans; as the 7th season premieres around the world, it promises to be the most action-packed season yet, with dragons, treachery, White Walkers and so on.  It also promises to be an action-packed time for networks and network managers, and treachery will play its part!

With the excitement of this premiere, many users may let their defences down as they try to download the latest episodes.  Links to downloadable episodes provides excellent bait for delivering Ransomware and other malware to unsuspecting users. Even without the threat of malware, we’ve seen time and again, how frequent media downloads can bring even the most stable networks to a stop when bandwidth provided for business operations is swallowed up.

Do you know what content your users are downloading and storing on fileshares, what sites your users are visiting, what copyrighted material is being downloaded and seeded by torrents through your firewall, what malware is being inadvertently downloaded and what it’s accessing on your network, do you know why that recently upgraded WAN link is at full capacity again? In other words, do you have blind spots? Or do you have continuous network visibility and the control it brings?

Visibility is a very common and maybe an overused term these days. However, it really is important to always have visibility into the various activities on your network, and also have drill down to rich detail and be able to understand and prove the root cause.

If you don’t know what happening on your network, you can’t secure it or manage it properly.

NetFort’s LANGuardian is downloadable software that’s quick to configure and quickly gives you visibility into what’s on and what’s happening on your network. Understand what users, applications, and devices are on your network and what they are doing.

Visit netfort.com to watch our 3-minute video

Or else you’ll continue to have network blind spots, the ‘Here be Dragons’ areas; not sure what’s there, but can’t shake that feeling that it can’t be good.

Monitoring Network Traffic Going In and Out of Your Network

Why you need to watch out for traffic going in and out of your network

One of the most common requests from customers at the moment is the need to create LANGuardian reports which show what network traffic is entering and leaving their network. The recent WannaCry Ransomware outbreak has really made this type of reporting vital for all Network and Security Managers. WannaCry actively scanned for networks which had TCP port 445 opened and then used a vulnerability in SMBv1 to access network file shares.

Leaving Ransomware to one side, it is always good practice to keep a very close eye on your network perimeter. Even if you have a very good Firewall, mistakes can happen and rogue traffic will get through or users will use various methods including tunneling, external anonymizers and VPNs to get around firewall rules.

Defining what is your network edge

Typically, your network edge perpetrates the local subnets on your network from all the external subnets out on your network. Many of you will use private addresses internally, but it is not uncommon to find public IP blocks in use as well. In order to report on what is entering and leaving your network, you need to define what subnets are in use. If you only use private address ranges then your internal networks could be represented as this list of subnets.

10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Creating subnet variables for use with LANGuardian reports

While you can use subnets directly within LANGuardian reports, you can save some time in the long run by using report variables. Click on the gear symbol top right and select Customization. From here, click on Report Variables and then Add New Report Variable.

  • Create a variable called External by using the subnet filter !10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
  • Create a variable called Internal by using the subnet filter 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Note that you will need to change the subnet lists above if you use public IP blocks inside your network. Just add them to the list using comma separators.

Top Tip: Add all of your remote sites and VLAN subnets as report variable to speed up troubleshooting. You can quickly see what applications are hogging bandwidth on WAN links by using LANGuardian to focus on traffic associated with the relevant subnet ranges.

Network edge report variables

Creating custom LANGuardian reports to focus on network edge activity

There are two reports I recommend you look at when it comes to network edge activity.

  1. Top external clients connecting inbound to my network
  2. Internal to External traffic flows

The steps to create a custom Top Clients report are as follows:

  1. Use the search box to locate the Bandwidth :: Top Clients report
  2. Click on the Source IP/Subnet box and select External
  3. Click Run Report
  4. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  5. Enter a name and description, then click Save

The new report will be listed in the My Reports section

The steps to create a custom Internal to External report are as follows:

  1. Use the Search box to locate the Bandwidth :: Sessions report.
  2. Click on the Source IP/Subnet field and select Internal
  3. Click on the Destination IP/Subnet field and select External
  4. Click Run Report
  5. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  6. Enter a Name and Description, then click Save.

The new report will be listed in the My Reports section.

network sessions

Take a read of this blog post, if you would like to learn more on how to monitor network traffic on your network. It contains some handy tips on how to get visibility as to what is happening inside your network.

How to detect SMBv1 use on your Network

SMBv1 file sharing

How can I find out if SMBv1 is being used on my network?

Even if you disable SMBv1 on all clients and servers, it is still good practice to check if any systems on your network are using this protocol. You may have un-managed systems like personal laptops or embedded operating systems within other network-connected devices. These are the most common ways to find out if SMB1 is in use on your network:

  1. Use a network traffic analysis system connected to a SPAN, mirror port or network TAP to monitor traffic associated with your file servers
  2. Run Get -SmbConnection on a client
  3. Scan your network using a vulnerability scanner
  4. Take a packet capture off the network and use Wireshark to identify what version of server message block you are running

What is SMBv1?

Server message block (SMB) is an application layer network protocol used typically to provide shared access to files and printers. It is also known as Common Internet File System (CIFS). Most data is transferred via TCP port 445 although, it also uses TCP port 137 and 139.

SMB was first used in Windows operating systems around 1992. Windows Server 2003, and older NAS devices use SMBv1 natively. It is a very inefficient protocol; Microsoft have advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016.

Detect SMBv1 Scanning and SMNv1 active or established connections

Why all the attention about SMBv1?

In May 2017, the WannaCry Ransomware started to infect computer networks around the world. It was the first in the family of WannaCrypt Ransomware which targeted both locally stored data and network based file shares. It has become a huge problem, and most IT and Security Managers have made detecting WannaCry Ransomware their top priority.

There are three known attack vectors for WannaCry. Some computers were accessed directly, some people opened email attachments and some were redirected to websites where they downloaded the malware.  Direct access is an unusual attack vector and occurred if a network allowed NetBIOS packets from external networks.

Data from antivirus provider Kaspersky Lab showed that 98% of the victims were actually running Windows 7. When the Ransomware first came out it was suggested that it was targeting Windows XP systems but the number of affected Windows XP systems looks to be insignificant.

This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware. More the reason why need to know what is going in and out of your network. Not just in real-time but also historically so you can look back and see what happened.

Once downloaded the malicious code in the zip file infects the local computer, which then does two things:

  • Encrypts the local filesystem
  • Attempts to infect other systems, by exploiting vulnerabilities SMBv1 (EternalBlue)

A further exploit known as DoublePulsar is then used to create a backdoor and inject malicious DLLs into the target system’s kernel. The EternalBlue and DoublePulsar exploits are linked to tools originally developed by the NSA which were recently exposed by the Shadows Brokers group.

Passively Find Out What Systems Are Using SMBv1 on Your Network Without the Need For Logs

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

Customer Use Case – Is there a way to detect SMB1 traffic?

Way back in October 2016 a US public sector customer sent us this query

“Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.

IT Manager”

At that time our LANGuardian product could detect SMB traffic and extract metadata such as filenames and actions but it did not capture and store the SMB version. Our product management team looked at this and we decided to modify our SMB decoder to capture the following information

  1. Capture and store the SMB version of all SMB traffic.
  2. Generate an alert if a client or server establishes a connection using SMBv1
  3. Generate an alert if a client tries to connect to another network device using SMBv1

This use case also highlight the flexibility and power of using wire traffic data as opposed to logs to get visibility, to get the critical detail, in this case the SMB version. Some critical details like the SMB version may not be available from logs, but are available via network traffic analysis.

It is worth noting that at the time our customer did not have a Ransomware problem. They were being proactive by dealing with the SMBv1 problem before it could be exploited on their network. This is still very relevant today. Too many networks are still using SMBv1 and IT managers have no visibility into what protocols are being used on their internal networks.

What systems are at risk?

Any Windows system that supports SMBv1 and does not have patch MS17-010 applied is potentially at risk. This is not limited to just Windows Server 2003 and Windows XP clients. As far back as September 2016 Microsoft the removal of SMBv1 from networks. Potentially all Windows clients on your network need to be checked and patched. Publicly available exploit code lists targets as:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

Windows XP and Windows Server 2003 can only support SMBv1. Aim to cease use of these systems on your network, as they are end-of-life and Microsoft does not provide regular updates. The latest Windows 10 indsider build removes the SMBv1 server software. he client SMB1 remains, so that users can connect to devices still using the protocol, but server-side is gone.

What should I do?

Make sure you apply patch MS17-010. Disable SMBv1 on systems that can support SMBv2 and SMBv3. SMBv1 and SMBv3 are much more efficient and will use less network resources. Check your backups, are they running and have you tested restoring data.

To disable SMBv1 you need to run these commands in Power Shell on each system.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Further information on how to disable SMBv1 on other systems available here. You can also disable SMBv1 via Group Policy preferences. This approach will allow you to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Checking SMB version on a client

The version of SMB used between a client and the server will be the highest dialect supported by both the client and server.

This means if a Windows 10 machine is talking to a Windows Server 2012 machine, it will use SMB 3.0. If a Windows 8 machine is talking to Windows Server 2008 R2, then the highest common level is SMB 2.1.

To check which dialect version you are using, run the the PowerShell cmdlet: Get-SmbConnection

Get-SmbConnection

Scan your network using a vulnerability scanner

Various vulnerability scanners may help with this, but need to know which systems to query. Microsoft have released Desired State Configuration Environment Analyzer which is a PowerShell module which can be used to scan a Windows Server 2012 R2 environment to see if any of the systems have SMB1 installed. Further reading in this post which also contains a sample script.

Using packet capture and analysis to detect SMBv1 activity

One of the easiest ways to detect what versions of server message block you are using is to use network traffic capture. You can do this locally on a client or server or use a SPAN\Mirror port. Once you have a source of network packets you need to process them using a network traffic monitoring application.

Microsoft have some guides on how to use their Message Analyzer application to audit active SMB1 usage. Further reading on this page which includes some screenshots of what to look out for. As per the image below, Wireshark can also be used to check for SMB1 connections from live traffic or from a PCAP file. However, WireShark and Microsoft Message Analyzer do not monitor continuously and do not alert.

Should I worry about non Windows operating systems?

The main target for Ransomware is Windows based file shares. However, variants such as KeRanger are designed to target maxOS systems. In recent days the Samba team released a patch (CVE-2017-7494) on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

There is a high probability that this could be the target of a Linux specific Ransomware variant. It is even trending as SambaCry on Twitter at the moment. According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet. The main advice you can take from this is to make sure you patch vulnerable Linux systems and close access to TCP port 445 on your firewall if it is not needed.

What does LANGuardian do and how can it monitor SMBv1 traffic?

Deep Packet Inspection Software can monitor all client network connections and if equipped with sufficiently sophisticated application layer decoders, can determine the version of SMB protocol that is being used. All you need is a data source which is typically a SPAN\Mirror port or network TAP. Our own LANGuardian product includes a deep packet inspection engine which can be used to monitor network traffic on any network that has a managed switch.

LANGuardian can detect, report and alert on the following scenarios:

  • A client connection request to any server, using SMBv1 protocol
  • A successful connection response from a server using SMBv1
  • Any file share actions (file write, rename, read etc) transacted using the SMBv1 protocol

The advantages of this continuous monitoring are:

  • Any attempt by an infected client to infect any other system on the network (lateral movement) via SMBv1 can be detected.  It is not possible for a client to hide its “network traffic trail”
  • Clients do not have to be known by the monitoring system beforehand (so monitors managed and unmanaged devices)
  • Detects embedded systems that may not be patched
  • No endpoint software is needed such as agents or client software
  • Very easy to deploy, simply SPAN or mirror the traffic to and from the file share servers (usually on the same VLAN) to get instant visibility
  • No logs are required, no configuration changes or extra load on servers

The video below shows LANGuardian in action and how it can be used to root out SMB1 clients and servers on your network.

Full Packet Capture now available in LANGuardian

Network packet capture

We regularly get feature requests from our customers which are always very welcome.  Such requests can greatly influence our road-map, while it also highlights that our customers are actively using our products. Recently a number of customers asked us to add direct or full packet capture. Specifically, they wanted a way to capture a small amount of very specific traffic.

At the core of LANGuardian is a metadata extraction engine where raw network packets are analyzed. User and application data such as usernames, filenames and website domains are extracted and stored in a database which can then be used for real time or historical troubleshooting.

However, there may be times where you may need access to the raw network packets. Typical use cases would include:

  • More detail for troubleshooting issues. Earlier, I was looking at a DHCP issue on my network, and I took a capture of the DHCP traffic to see if there was anything interesting in the packet payloads.
  • Capture specific traffic which then can be used to build custom IDS signatures or for developing firewall rules.
  • Application traffic sampling for building custom application signatures.

As LANGuardian packet sensors are typically connected to the network core, it has access to a rich data source. Applications such as Wireshark can be easily overloaded, if you connect them to a SPAN or mirror port. The LANGuardian packet capture feature allows you to create packet captures based on:

  1. Network interface
  2. Packet and flow filters
  3. Packet count

Take a look at this short video below, as it shows how a packet capture was setup to grab 100 TCP packets where the destination port was set to 80.

If you would like to try this packet capture feature for yourself, download a 30-day trial of LANGuardian here.

Monitoring OneDrive Traffic

monitor onedrive traffic

How to monitor OneDrive traffic

OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.

A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.

From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.

Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.

Drilling down on the HTTPS traffic, it revealed that the data was associated with the live.com domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.

onedrive domains

Further analysis highlights that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.

associated onedrive traffic domains

Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.

onedrive geoip information

If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server, VMware or Hyper-V and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.

Looking back at our 2016 Top Blog Posts

2016 Top Blog Posts

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

GeoIP Use Cases for Network Traffic Analysis

Using GeoIP for Network Traffic Analysis & Security Monitoring

GeoIP refers to the method of locating a network device’s geographic location by using that device’s IP address. This can be very useful for identifying where your data is going or for spotting suspicious activity on your network.

For many Network Administrators, Wireshark continues to be the tool of choice when it comes to troubleshooting network issues. I use it all the time myself and it is excellent for diagnosing issues associated with a single client or host. You can also integrate GeoIP databases with Wireshark so you can see countries associated with IP packets.

However, Wireshark struggles when it comes to monitoring traffic flowing through a switch, especially at the network core. You will end up with too much data and it can be hard to spot problems.

wireshark

This is where our LANGuardian product fits in, as you can use it to monitor network traffic on your network. You simply need to deploy it as a physical or virtual appliance, setup a SPAN or mirror port and you are good to go! I am using a beta version of LANGuardian with GeoIP features in my home lab and I am using it for some interesting use cases.

GeoIP Use Case #1: Where is my data going?

I use a lot of cloud services for both personal and work tasks. If we upload something to Google drive or synchronize something with Dropbox, do we care about where our data goes? For most people, the answer to that is no, but if you are dealing with sensitive data, then you may want to check this out.

Thankfully most cloud service providers encrypt all sessions now, but that makes things difficult for network monitoring tools. However, if you use a product like LANGuardian which can extract metadata from network packets then you can get an understanding as to what is happening. In the example below, we can see encrypted connections from my network to Google drive addresses which are registered in the US.

GeoIP Use Case 1

GeoIP Use Case #2: What servers are users\devices connecting to outside my network?

Watch out for any connections to servers in countries where you would not expect. For example, on my network I noticed a lot of traffic associated with a server in The Netherlands. Drilling down on this revealed the traffic was associated with connections over UDP 443 which is typical of private VPN connections.

GeoIP use case 2

GeoIP Use Case #3: Check for suspicious inbound activity

Most networks will have a very strict policy on what traffic is allowed inbound into a network. What I mean by inbound is where the connection is established by a client or server outside the networks perimeter. Typically this will be limited to services like email. A review of the activity within my lab showed some activity associated with UDP connections. Further analysis revealed this to be BitTorrent activity –  the high server port number is also an indicator of BitTorrent activity.

GeoIP use case 3

GeoIP Use Case #4: When investigating IDS\security events, what are the associated countries?

When you are investigating a security issue you need to have as much data as possible. What devices were targeted, where did the activity come from, what applications were used, was any data copied etc. In this next image, we can see that an IDS event has triggered due to BitTorrent activity and the client in question has made connections to other clients in many different countries.

GeoIP use case 4

If you are interested in testing a beta version of our GeoIP integration, please email us at: support@netfort.com

Is it the Network or is it the Server?

Is it the network or is it the server

Is it the network?

No matter how well we design networks, servers\applications can run slow or go offline completely. Some of this may be down to too many users accessing a service, hardware failures or security issues to name but a few. The problem is that every one will blame the network and it will be up to you to answer the question “is it the network or is it the server?”.

To be in the position to answer this question, you need data and this data can be acquired from network monitoring tools or log files. The important thing is to set these up now and not wait for problems to happen. There are hundreds of monitoring tools available and the trick is to get one to give you the right level of detail to get to the root cause of network and application issues.

Troubleshooting Example

For this example, I am going to focus on a web application which was reported to have been running slow. The story is based around a real world problem that I worked on recently; it is a straightforward client and single server configuration. However, I will look at tiered applications in a later post.

For most server troubleshooting scenarios, I start off by looking at what is happening on a network before moving onto look at what is happening locally on the server. My tool of choice is LANGuardian which is setup to monitor network traffic going to\from important servers.

The first data set that I look at is total traffic to the server broken down by protocol. Normally, you would see lots of traffic associated with open TCP ports on the server. This can vary if media streaming applications are in use, you may see more traffic associated with UDP protocols. As I am focusing on a web server, the ratios in the image below look correct, a lot more TCP traffic compared to UDP traffic. If the server was targeted as part of a DDoS attack you would also see a lot more UDP traffic.

Total network traffic associated with server

The next step is to drill down on the traffic volumes and see what applications are in use. NetFlow based tools will try and label applications based on TCP\UDP port numbers. In my case, I am using network packets as a data source and so the application labels are based on the packet contents which is a lot more accurate. The top two applications are file sharing and web which looks normal as that is what the server is used for.

Applications associated with server

Moving on, I next take a look at the connection rates to the server. This report shows something interesting in that one client seems to be establishing a lot of connections to the server. The report is looking at a 20 minute time frame which suggests automation rather than a user connecting to the server. At this stage, it looks like the answer to the question “is it the network” is a no. Evidence so far suggests a user or application problem.

Total network connections to server

The next drill-down reveals the root cause for our server issue. A user called Laura.Ashton is accessing a resource called stress.htm on the server. Detail like this is called metadata, certain data fields which are captured from network traffic. A call to the user confirmed that they were running test scripts to check server performance under load. They stopped the scripts and server performance returned to normal.

user metadata

Metadata is fast becoming a must have data source for troubleshooting security and operational issues. It is one of the main reasons why tools which monitor network traffic are seeing to be the next step up from flow based tools. Recently we asked a customer “What issue/requirement has the LANGuardian addressed for you?” Their response was “To get a deeper look into the traffic flow in and out of our network. It also allowed us to see what was hogging data.” For this customer, use cases like the one covered in this post are a regular thing and so tools like LANGuardian are a must have to answer that age old question of “Is it the network or is it the server“.

Get an alert when certain traffic is found on the network

Custom reports and alerts associated certain protocols

We just received this interesting request into our support desk “Is it possible to get an alert when certain traffic is found on the network. For example when TFTP or FTP is used we get an email“. IT professionals want to know when there is suspicious traffic moving around their networks. Sometimes this is because of data exfiltration use cases and in others it is down to quickly identifying when external hosts are accessing data on the LAN or WAN.

Content based application recognition

LANGuardian uses a feature called content based application recognition to identify what applications are running on a network. This is more accurate than technologies which use TCP\UDP port numbers to label network traffic. LANGuardian identifies applications by looking at packet payloads so if an application uses a non standard port number it is still detected.

Creating custom reports to focus on certain applications

Before you can configure application alerting you first need to create a report focuses on a specific application. Logon to your LANGuardian web console and click on the All Reports menu. Select the More option under the Applications section.

Report on protocols
  • Click on the report Top Talkers by Application.
  • Click on Show More link which exposes the full set of report filters on the right.
  • From the protocol drop-down, select the application that you want to focus on. For my example I am going to choose HTTP.
  • Run the report to check for any network activity associated with that application.
  • As per the image below, click on the Actions option and choose Save As. Type in an appropriate report name and save your custom report.

Get an alert when certain traffic is found on the network

Once you have the report saved you can then configure alerting if traffic associated with the report filters is detected. To enable this you need to:

  • Click on gear symbol top right and select settings
  • From the Alerts, Reports section select Email and alerts configuration
  • Click on Report Wizard
  • Scroll down to the custom section and select every 2 hours from the Send Alert drop down

Repeat the process for each application that you want to get an alert on. Your LANGuardian will run each report automatically every two hours. If activity is detected an alert is sent.

How to conserve YouTube bandwidth usage

Monitoring YouTube Bandwidth Usage

How to conserve YouTube bandwidth usage on any network

How to conserve YouTube bandwidth usage is an issue faced by many network managers. YouTube is one of the most popular services on the Internet and, for me, it is my number one go to resource for technical information and entertainment.

My favorite channels range from a guy who takes apart random electronic devices to another, who can repair anything on four wheels; I think everyone has their favorites. The YouTube interface hasn’t changed very much over the years, but the quality of the videos has increased significantly.

One of the reasons YouTube network activity seems to have increased in recent years is not necessarily that the social media channel has become more popular. It has more to do with YouTube bandwidth requirements. 4k video support was added in 2010 and more recently 4k streaming support was announced. So, without doubt, YouTube bandwidth usage is at the forefront of most Network Managers’ minds.

Blocking YouTube Network Activity is Not an Ideal Solution

YouTube in the workplace has always been a difficult relationship. HR departments worry about employees wasting time watching videos, and IT or Network Administrators worry about the way it can consume bandwidth. Blocking YouTube is never a great idea, as essentially you will end up blocking access to a fantastic learning resource.

Blocking introduces a further issue, in that people will try to find a way around this block.  Applications like Hola allow users to get around web filters. When this happens their attack surface increases, as they will be able to access any website, including those hosting malware. If you want to monitor network traffic for this type of activity, I took a look at how you can use DNS metadata to see those clients running applications like Hola in a previous blog post.

One way to conserve YouTube bandwidth usage is to get users to watch videos at lower resolution. There is a massive difference in bandwidth use if you watch a video at the lowest setting when compared to the maximum. YouTube will always try and use the maximum setting, so you can have the best viewing experience.

If employees need YouTube access during work hours, they will rarely need to watch videos in high definition. Dropping down to 480p or less will result in less bandwidth use and less congestion at Internet gateways. Provided users comply with acceptable use policies, this way to conserve YouTube bandwidth usage should keep both HR Departments and Network Administrators happy.

YouTube Bandwith Usage

How much bandwidth does YouTube use?

Lets take a look at YouTube bandwidth use when different resolution settings are selected. For these tests, I used our own LANGuardian product to monitor traffic on my Internet gateway. The graphs show bandwidth use on my Internet gateway over the course of about 2 hours, as I watched one video on YouTube and increased the resolution settings during this time period.

YouTube @ 144p

Watching YouTube videos at the lowest resolution used up about .1Mb/s of bandwidth on my test network. However, they quality of the playback was poor. It is ideal if you just want to listen to some music with the video part minimized.

YouTube 144p

YouTube @ 480p

Increasing the resolution up to 480p increased bandwidth use up to around 1.6Mb/s. For most YouTube playback in the workplace, this is a good setting. Video and audio will be clear.

YouTube 480p

YouTube @ 1080p

Once you start playing YouTube videos in HD mode you start to eat up enough bandwidth to put a dent in many Internet connections. My own tests reported YouTube bandwidth use at around 3.5Mb/s while watching a single video in 1080p HD mode. As I mentioned earlier, there is no need to be streaming content at these rates for most use cases.

YouTube 1080p

YouTube @ 2160p

Watching YouTube videos at the current highest resolution of 2160p (also known as 4k) will eat a lot of bandwidth. For my own test, I showed levels around 20Mb/s while watching one video. This can increase to 30Mb/s if your playback equipment can support it.

YouTube 2160p

The Benefits of Monitoring YouTube Network Traffic

Being able to monitor YouTube usage in such detail has its benefits. Network managers can identify when users are exceeding acceptable use YouTube bandwidth requirements – even on wireless connections – and impose bandwidth limits on YouTube network traffic to stop persistent offenders.

Monitoring YouTube network traffic with a deep packet inspection solution such as LANGuardian can also help resolve network issues such as WAN connectivity problems. With LANGuardian, Network Administrators are able to detect the root causes of the issues and resolve them quickly.

Monitoring a network to control and conserve YouTube bandwidth usage is therefore a better solution than blocking access to the social media site or trying to enforce an unenforceable acceptable use policy. If you allow YouTube network activity in the workplace, and monitor YouTube usage effectively, you could resolve many more issues than employees wasting time watching videos.

Conclusion: Education rather than eradication

In my experience, it is better to educate users on the appropriate use of YouTube during normal business hours. You will find that it is almost impossible to eradicate YouTube out of the workplace. So, it is best to have network traffic monitoring tools in place to check on YouTube bandwidth usage. In the event, someone is continuously hogging bandwidth, remind them of your fair usage policy! Finally, if you need to research something or any such, watch your videos in low resolution where possible.

Why Monitoring Network Traffic is important during the Holidays

Monitoring network traffic

Monitoring network traffic around holiday events

Thanksgiving and Black Friday have come and gone and to those of you who celebrated either, I hope you had a good one! Holiday events like this can bring extra challenges when it comes to keeping networks running securely and efficiently. Cyber criminals exploit times like this with anything from fake purchase invoices to malware attached to shipping notifications.  One way to keep your network secure is to monitor network traffic so you can see what is happening on your network.

Once you start monitoring network traffic, you need to watch out for suspicious traffic patterns or new devices connecting to your networks. The best way to do this is via network packet capture. If you are unsure where to start, check out this recent blog post which looks at where you should be analyzing network traffic on your network.

Detecting Hola and other anonymizers

Over the past week, I have noticed an increase in the use of a browser plugin called Hola. It is used to get around web filters and to anonymize web browsing. I am not a huge fan of web filters unless, they are used to block access to malware sites or illegal content.

Occasionally, I see Network Managers blocking sites like YouTube as they use a lot of bandwidth, this can frustrate users as YouTube has a lot of useful and work related content. Instead, users should be educated on how the watch videos in lower resolutions and thus reduce bandwidth use. If users are blocked from accessing sites, they will look at finding ways around this and this can expose the network to other security risks.

The dangers of plugins like Hola is that they can expose users to sites which can cause problems like Ransomware infections. Cybercriminals know that users may be more vulnerable around Thanksgiving or Black Friday. Users may be more inclined to click on a link to a silly Thanksgiving video or try and access a website which is advertising amazing discounts.

One way to detect the presence of Hola clients on your network, is to check for DNS requests associated with the Hola website. You can do this by monitoring network traffic going to and from your Internet gateway. Once you have traffic monitoring in place, you can use a tool like LANGuardian to extract the DNS metadata from the network packets. The image below shows an example of this; here, we can see that a client was detected sending DNS queries associated with the Hola service.

Detecting Hola Traffic

Watch out for new devices connecting to your network

The second issue, to watch out for at this time of year is the influx of new devices connecting to networks. Many people will have bought tablets or other IoT type devices and some may find their way onto corporate networks. The problem is that some devices may be prone to attacks, if default settings are used. Hacked cameras and DVRs were responsible for a massive Internet outage recently.

You can detect new devices on your network by watching out for new MAC addresses or by watching for certain strings in hostnames. In the following image, we can see how our LANGuardian system detected the presence of an Android device on my network. The report in use is called Ethernet :: DHCP Lease Assignments. Once you have the MAC address, you can trace it by looking through the ARP tables on your switches.

Detecting IoT devices with network traffic monitoring

Conclusion: You need to be monitoring network traffic

Network traffic monitoring was once difficult and only used for low level network troubleshooting. However, metadata analysis tools have now made this task much easier and more accessible. While it is vital that you monitor network traffic around holiday events, our advice is that you should have it running 24/7 all year round. It will allow you to get to the root cause of operational and security issues much faster.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

How to troubleshoot slow network issues

Troubleshoot slow network problems with network traffic analysis

One of the most vague issues to land on any Network Administrators desk is users complaining that the network is slow. In most cases, the network is not to blame, instead the user is experiencing issues with a slow application or website. However, more than often it is the responsibility of Network Administrators to troubleshoot slow network issues and prove that it is not the network.

The first thing you will need is a data source, so you can find out what is happening on your network. You can use technologies such as flow analysis or packet capture. For my example, I am going to use packet capture as it provides the greatest detail; you just need to ensure you set it up in the right places on the network.  Check out my earlier post which looks at ways to monitor network traffic and pick the most important points to focus on.

We develop a network traffic monitoring tool called LANGuardian. It can report on real-time and historical network use. This is important when it comes to troubleshooting slow network issues. You need to be able to compare what is happening when the network is running slow versus what was happening when the network was running without issues.

Check overall traffic volumes

If the user complaints are coming from a remote office, I would check traffic volumes on the link first. We covered this topic in a previous post which looks at ways for generating reports on WAN bandwidth utilization. If the complaints are coming from users on the local LAN, then I would focus on all network activity.

The first report I look at is the ratio of TCP to UDP traffic. A normal network will have over 80% of TCP traffic. If UDP protocols are using your bandwidth, check the data from the previous day and see if it is something new. Excessive UDP traffic can be a sign of a DDoS attack or over use of media streaming. Issues such as these can slow down a network.

Find out what are the top applications consuming bandwidth

Next up, I would check for the most active applications. For most networks, activity like file sharing, web or database activity ranks highest during business hours. If you see something like backup running during the day or large data replications between servers it can be the source of network slowdowns.

troubleshoot slow network issues via top protocols report

Check for network broadcast issues

A broadcast storm can slow down a network within seconds. All it takes is for one rogue device to send out a few hundred megabytes of broadcast data and suddenly your LAN will be saturated with broadcast packets. A quick way to look for this activity is to filter on network packets which have ff:ff:ff:ff:ff:ff as a destination MAC address.

You should also take a look at multicast traffic. It is less problematic than broadcast traffic, but worth checking if you are trying to troubleshoot slow network problems. Use a filter to show traffic associated with the destination IP range 224.0.0.0/4.

Watch out for excessive connection rates

Firewalls and layer 3 devices such as routers, can struggle if connection rates increase significantly on a network. If clients start disconnecting from web sites or services hosted on the other side of routers, it is worth checking this metric.

top connection pairs on network

Summary

There are many ways to troubleshoot slow network problems, and I havn’t covered them all in this post. However, I always use the following approach and in most cases, I find the root cause of network problems by monitoring network traffic and comparing what happens during a network slowdown against times when the network is running normally.

 

To see LANGuardian in action – try our interactive demo today!

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

5 Tips if you are looking to monitor network traffic

Monitor Network Traffic

What you should consider if you want to monitor network traffic

There are many good reasons to monitor network traffic. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to (for example) identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network.

However, not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as along the network edge.

Here are my 5 tips if you are looking to monitor network traffic.

1.    Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

(1) Flow data can be acquired from layer 3 devices like routers

(2) Packet data can be sourced from SPAN, mirror ports or via TAPs

Flow data is fine if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic, the utilization of network resources and network performance. However, flow-based tools for monitoring network traffic lack the detailed data to perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are using applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. By transforming the raw metadata into a readable format and enabling network managers drill down to the minutest detail, deep packet inspection tools provide 100% visibility over the network.

2.    Pick the correct points on the network to monitor

Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.

Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they try and monitor too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.

If you are new to getting tools in place to monitor network traffic, I would suggest you should start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.

3.    Sometimes real-time data is not enough

The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical data is just as important if you want to analyze past events, identify trends or compare current network activity to maybe a week previous. For these objectives it is best to use tools for monitoring network traffic with deep packet inspection.

Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you can get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.

It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible options are network traffic monitoring tools that are software-based and allow you to allocate whatever disk space you think is appropriate.

4.    Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

User network traffic sceenshot

5.    Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the network edge but very few networks have this type of technology monitoring traffic inside the network. All it takes is for one rogue mobile or IoT device for a network to be compromised. Another issue, I often see is firewalls allowing  suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to be connecting to this network.

Network Security Events

Summary

My 5 tips if you are looking to monitor network traffic are flexible depending on your motives for monitoring network traffic, the depth of visibility you need over the network to achieve your objectives, and the resources you have available to address potentially high maintenance overheads.

Nonetheless they should help you determine the most appropriate tool for network traffic monitoring, and the features it should have in order to monitor network traffic effectively. There are a huge amount of solutions available if you want to monitor network traffic. The key is to pick one to match your requirements.

  • Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
  • Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

Monitoring IP Spoofing activity on your network

In my opinion, network traffic analysis and bandwidth monitoring solutions are a must have. You can closely monitor bandwidth and traffic patterns to identify any anomalies that can be addressed before they become threats. The trick is to capture usernames and other metadata as well as the usual IP addresses and flow information, so that you can fully understand what is happening on your network and spot suspicious traffic like IP spoofing.

Last week, I worked on an interesting network issue which involved IP Spoofing. One of our LANGuardian customers reported that they were seeing a lot of network scans from IP addresses that were not part of their local address schemes. Network scans are typically triggered when a single IP addresses attempts to connect to hundreds of other clients in a short time period.

Network Scans

The customer was using 10.0.0.0/8 addressing but the scans were originating from 172.16.0.0/12 addresses. For a 24 hour period, we detected over 5.5 million connection attempts. What was unusual here is the source address range, it is private so it should not be routing in from the Internet.

The customer wanted to know if this was IP Spoofing or if the traffic from this network had somehow made its way into their main corporate network. IP Spoofing involves the creation of IP packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system.

IP Spoofing is also widely used in DDoS amplification attacks. For most DNS and NTP amplification attacks, the destination IP is spoofed which will flood it with unsolicited responses. DDoS attacks like this can overwhelm networks, a recent attack on the Krebs on Security blog resulted in 665Gbs of traffic.

If you do spot suspicious traffic or IP addresses on your network, you first must work out if it is spoofed or if actual connections were established. Many traffic analysis or IDS systems can trigger alerts when a single source attempts to connect many other devices on a network. In most cases, they are watching out for SYN packets which try to initiate a connection. If the target host responds then a connection may be possible.

Your first priority will be to look at flow reports associated with the source addresses. For the purposes of this demonstration, I am going to use our own product LANGuardian. However, you can use a similar approach with other network traffic monitoring applications. I am also going to focus on the 10.11.0.0/16 network which is the source of the scans in my case.

As can be seen from the image below, we do not detect any flows or connections associated with this subnet. This would suggest that the source device(s) of these packets is spoofing the IP addresses them.

Ip Spoofing Dashboard

The next step of your investigation would be to determine what are the MAC addresses associated with these addresses. Again I am using the built in inventory reports of LANGuardian to resolve the MAC address of the suspicious IP addresses. In my case, I narrowed the search down to a single Dell system.

MAC Address

My next step would be to check the MAC tables on my switches so that I can find what port the device is connected to and shut it down. Going back to the customer issue I worked on, we traced the problem back to one of their firewalls. It had a known issue where it would send out random IP packets associated with the 172.16.0.0/12 network. An upgrade sorted the issue resulting in the disappearance of the spoofed packets.

For additional information on IP Spoofing; take a moment to watch this short video 

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

5 Points on your Network where you should be analyzing Network Traffic

Network Traffic Analysis Tools

Analyzing Network Traffic – Where To Start

If you want to find out what is happening on your network, analyzing network traffic is great way to start. By capturing traffic from a SPAN, mirror port or network TAP you have a non intrusive way for gaining visibility without the need for software agents or clients.

If you want to upgrade from capturing local traffic on a client using applications like Wireshark, it may not be obvious where to start capturing. In this blog post, I take a look at the most important points on a network which you should focus on. In all cases, you can use either a SPAN port, port mirror, TAP or network packet broker (NPB) to act as a data source for network packets.

1.  Network Perimeter \ Internet Gateway

The best starting point for any type of traffic analysis strategy is at the edge of your network. Many bandwidth or security issues can be investigated by implementing network traffic analysis at this point. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, this will allow to track activity back to specific clients or users.

This video explains how you can use a SPAN port to monitor internet activity.

2. Network Core

Once you have visibility at the network edge, you should then look at analyzing network traffic at the network core. Most managed switches will allow you to take a copy of traffic going to\from multiple ports and send it to a single port where you can plug in your traffic analysis tool. On certain switches such as Cisco, you can monitor entire VLANs so you don’t need to worry about monitoring specific ports.

The key thing to watch out for when monitoring at the core is that you don’t overload the SPAN port. If you max out the capacity, you may need to consider splitting the traffic across two SPAN\mirror ports or upgrading to 10gb, if you are currently using 1gb ports.

3. DMZ

Once you have got visibility inside your network, you should then consider monitoring activity just outside the networks edge. Typically, this is called the demilitarized zone (DMZ) and may contain web servers and other public facing resources.

A DMZ is a busy place when it comes to network events. Many devices here may have pubic IP addresses and so, will be constantly scanned and checked for vulnerability weaknesses.

Analyzing Network Traffic in DMZ

4. Remote Networks

If you are analyzing network traffic at your network core, you should be able to see what is happening on WAN links. This is possible through the use of filters based on the subnets in use at the remote sites. You can read more about this in my recent blog post which looked at a number of ways for generating reports on WAN bandwidth utilization.

However, you will need to analyze traffic locally at the remote sites if you want to see what is happening on these remote networks. A typical use case for this would be identifying the source of a broadcast or unicast storm at the remote network.

5. East West Traffic on Virtual Platforms

If you use virtual environments like VMware, Hyper-V or VirtualBox, you will have virtual networks in place. These networks are built up from virtual switches which are mapped to the physical interfaces on the Hypervisor. However, network traffic can flow between virtual hosts that will never appear on the physical network. This has now become a common blind spot for many Network Managers who have virtualized one or more servers.

In order to gain visibility within a virtual environment, you need to deploy a virtual machine capable of analyzing network traffic flowing through a virtual switch. The following video explains what needs to be done to implement this on an ESX server.

We have further videos available within the resources section on this website which looks at what you need to do on other Hypervisors.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activitytofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!