Making Networks More Secure, Part 1

A protocol analyzer is a software tool that tunes into packets of data as they move across networks. Properly used, it can help demonstrate why secure software is a good idea and can help secure networks in a wide variety of ways. For system builders and networks, a protocol analyzer can be an invaluable diagnostic and troubleshooting tool.

Nearly all network-security software -- including screening routers, firewalls, intrusion detection or prevention systems, and security scanners -- first examines incoming or outgoing network traffic, then determines whether that traffic should be allowed to travel further or be blocked. That same functionality forms the core of any good protocol analyzer. It examines packets passing through a network interface to see what's inside. But unlike most security software, which stops scanning before it reads entire packets, protocol analyzers can decode and interpret everything they see -- as long as they can recognize what kind of information a packet contains, and apply the right template to make its contents readable.

Although protocol analyzers have many uses above and beyond network security -- for example, debugging code that transmits traffic onto a network -- they have many potential security applications, too. Information-security professionals use protocol analyzers to capture specific types and sequences of packets, called "attack signatures," to permit intrusion-detection or -prevention systems to recognize and report on (or block) intrusions and attacks. Similarly, spam filters dig deeply enough into SMTP packets to block mail from unwanted senders, or messages that contain certain keywords in the Subject line (such as "Viagra" or "Cialis"). At a simpler level, firewalls and screening routers identify and block spoofed network addresses, then take action based on domain names associated with source or destination IP addresses. Protocol analyzers can do all of these things, and quite a bit more.

System builders will find a protocol analyzer to be a useful, even essential, tool. In just minutes, a properly-equipped laptop can hook up to a network segment, switch, or wireless hub to provide a compelling "show and tell" about what's traveling over that network, who's using the network, and much more. Showing customers potential security problems on their networks is more convincing than just talking about them.

System builders and consultants can choose from numerous protocol analyzers available in today's marketplace (see Sidebar below). For this Recipe, I chose an Open Source protocol analyzer called Ethereal. I like Ethereal because it is free; runs on the Unix, Linux, and Windows operating systems; has an active and interested user community; and is relatively easy to install, learn, and use. Only low-level interface and menu details in my recipe will differ if you use another tool.

There are numerous ways you can use Ethereal to alert clients to potential security problems or to set up and configure security software like VPN clients or IP Security links. In this Recipe, part 1 of 2, you'll learn how to use Ethereal for the following two uses:

• Display network stations: Any protocol analyzer can list all network interfaces active on a network segment (or wireless broadcast domain, if properly equipped). Most can also show IP addresses and domain or user names associated with the Media Access Control (MAC) addresses associated with each interface, but even access only to raw MAC addresses can still be revealing.
• Password sniffing: Older IP-based services -- including Telnet, FTP, and SMTP mail -- send passwords in the clear from client to server during login. Showing passwords within minutes of jumping onto their networks strikes fear into clients' hearts, as well it should!

Regardless of how you choose to use Ethereal -- or train your clients to use it themselves -- you must first perform some or all of these tasks to get started:

• Install Ethereal on a machine running on the network segment you wish to monitor. If you're not sure which one to look at, any segment with an IP gateway to the Internet is usually a good choice. You may, however, occasionally need to look at other segments, especially when troubleshooting. I installed Ethereal on Windows 2000 Professional and Server, Windows XP Professional, and Windows 2003 Server, using available binary files from the organization's Web site. All these installs took me less than two minutes, and all produced working software.
• Attach a laptop with Ethereal installed to the segment you wish to monitor. Furnish the laptop with all elements necessary for a working IP connection: DHCP and DNS server access, or static IP address, IP gateway, and subnet mask, at the barest minimum. This is the preferred method.
• Launch Ethereal and make sure it can see what's happening on the network segment to which it's attached. You'll be able to tell by simply starting a packet capture, then displaying results in its default Window. An increasing trail of captures means it's working. Nothing showing probably means nothing doing!

To get ready to use Ethereal, you must first install the software on a machine you'll use to monitor or capture packet traffic on some particular network cable segment. You must also make sure Ethereal can monitor or capture traffic from that segment, as described earlier.

Here's what you'll need to get started:

Ethereal Ingredients

• Ethereal: System builders can download source code or binary packages for Red Hat Linux, Fedora, or Sun Solaris, or they can grab source code or installers for 32-bit Windows environments (Windows 9x, NT, 2000, XP, and 2003). Windows users must also download and install the WinPcap (Windows packet capture) driver if they want to capture live network traffic. All the necessary download links are available at Ethereal.com, including mirrors all over the world as well as at the organization's home site.
• If you want to compile your own version from source code, it's only a little more complicated. I used the binaries provided through the Web site without any difficulty. If you're running Windows, it will take about a half-hour to download and install all the necessary files.
• List of Known MAC Addresses. If available -- you can elicit most of this data using IPCONFIG or WINIPCFG commands at the Windows command line on individual machines, as appropriate for Windows versions in use -- this will help speed analysis and reporting when displaying network stations. If not, then obtain the ARP Table from an IP gateway or a router that acts in that role. On Windows, Linux, or Unix machines, type "arp %96a" (without the quote marks) at the command line (or in a command shell) to see the contents of the machine's ARP table where the command is run. To save this data, pipe it to a text file (arp -a > arplist.txt). If this is too much trouble, simply let Ethereal run for a while, and use a display filter to display only local segment addresses.

Create Active Station List, Step-By-Step

Now that we have our components assembled, let's take a look at the five steps involved in creating an active station list:

• Before you begin any packet capture, go to all workstations or servers on a segment, open a command Window, and clear each machine's ARP cache. To do so, type at the command line: arp * -d
• Start Ethereal from the Start menu, a shortcut, or whatever method suits you best. The executable is named ethereal.exe, so you can even launch it from the command line, if you like. Define a display filter that reads arp in the Filter text box in the lower left-hand corner of the default display.
• Start packet capture on your Ethereal machine by clicking the Capture menu, then the Start selection. The defaults for the program are fine for this exercise, so you needn't make any other changes at all.
• Go to each workstation or server, and access a Web page to provoke an ARP lookup from each machine.
• Stop the packet capture by clicking the Stop button. Either save only those packets that include the data on display, or simply print the display information for later reuse. The screen-shot below shows what such a display will look like.

Fig. 1: View this screen-shot in a separate window.

If you capture a long trace and filter on IP addresses (using something like ip.src == 172.16.1.0/24 in the case of the Class B private IP address used for the example in the screen shot above, you can also achieve the same thing. But you may have to search around in the trace file to get matching MAC addresses.

The arp output matches MAC and IP addresses more or less automatically. Later, you can use this information to spot "rogue addresses" -- devices or computers attached to your network that aren't on your known list of MAC or IP addresses. In fact, I have my firewall configured to recognize all local hosts whose IP and MAC addresses are identified explicitly in the firewall configuration files, and to allow only very limited network access to other local addresses should they ever pop up.

I recommend that you explain the benefits of this approach to your customers. Namely, that should rogue users ever show up on a network segment, they will be immediately recognized, and their access will be severely curtailed. Those with legitimate needs for more access will ask for more, and probably have it granted. Those with no legitimate needs for more access can try their tricks elsewhere.

Password Sniffing, Step-By-Step

Packet-capture continues only until your packet-capture buffer fills up. Then it stops. That's why I recommend that you ask your client to log into an FTP or Telnet server, or access SMTP/POP3 e-mail, while you're capturing a trace. That way, you can show them the results fairly quickly. This is so easy, it's frightening. I use SMTP/POP3 for my example, but you could easily do the same thing by typing ftp or telnet into the Filter: textbox instead of pop, as described in the following steps:

• Start Ethereal from either the Start menu, a shortcut, or whatever method suits you best. The executable is named ethereal.exe, so you can even launch it from the command line, if you like. Define a display filter that reads pop in the Filter text box in the lower left-hand corner of the default display.
• Start packet capture on your Ethereal machine by clicking the Capture menu. Then click the Start selection. The defaults for the program are fine for this exercise, so you needn't make any other changes at all.
• Log in, or ask your customer to log in, to an e-mail server using the Post Office Protocol (POP3), identified as pop in Ethereal.
• Stop the packet capture and show the trace to your customer. You should see their account name and password in plain, readable text form. If they send or receive any messages, you'll see some or all of them, depending on the message length and whether you change the default packet-buffer size.

Fig. 2: View this screen-shot in a separate window.

The screen-shot above shows just how obvious the account name (bobcraw) password (Castorbean12) are to find and read. The same technique also works for the file transfer protocol (FTP), telnet, many versions of SMTP, and other insecure IP services. I find this to be the best argument around for switching clients to secure implementations, running within secure shells, or using VPN software and encryption. Although most clients "know" this is true, it's so much more convincing to show them what any fool with a protocol analyzer can do -- this means you and me!

That's absolutely all there is to it!

Sidebar: Other Protocol Analyzers

The following table identifies other, well-known protocol analyzers currently available. Ethereal can read all of these formats, and a number of others as well (documented at the Ethereal site).

Also, Webclasses offers a nice protocol analyzer operations lesson that interested readers may want to check out.

Finally, using a protocol analyzer for security purposes overlooks the software's many other capabilities. If you're interested in learning more about Ethereal, you'll find ample documentation at the Ethereal Web site. I also recommend a new book, Ethereal Packet Sniffing by Angela Orebaugh with Greg Morris, Ed Warnicke, and Gilbert Ramirez (Syngress Publishing, 2004). Because the authors are Ethereal developers, technical writers, and information-security professionals, their coverage is accurate, interesting, and relevant.

This is Part 1 of a two-part Recipe. Part 2 will deal with third-party IP tools-- shareware and relatively inexpensive commercial software. It also will provide pointers to some great "online toolbox resources" whose operators collect and catalog listings of and pointers to such things, for those in need of more options and capabilities.

ED TITTEL is a technology writer who has contributed to more than 100 computer books; a trainer; and a consultant who specializes in IT certification and information security. He has no commercial affiliation with any of the vendors or products described in this article.

Did you try this Recipe? If so, how did it work out? To discuss this or other TechBuilder Recipe, start or join a discussion thread on the Recipe Forum. Membership is required. Not yet a member? Becoming a member is free, secure, and fast. Join TechBuilder today.