Angela Orebaugh

Wireless Sniffing with Wireshark

This chapter introduces the unique challenges and recommendations for traffic sniffing on wireless networks. It examines the different operating modes supported by wireless cards, and configures Linux and Windows systems to support wireless traffic capture and analysis using Wireshark and third-party tools. Wireshark possesses sophisticated wireless protocol analysis support to help administrators troubleshoot wireless networks. With the appropriate driver support, Wireshark can capture traffic “from the air” and decode it into a format that helps administrators track down issues that are causing poor performance, intermittent connectivity, and other common problems. Wireshark is also a powerful wireless security analysis tool. Using Wiresharks display filtering and protocol decoders, one can easily sift through large amounts of wireless traffic to identify security vulnerabilities in the wireless network, including weak encryption or authentication mechanisms, and information disclosure risks. One can also perform intrusion detection analysis to identify common attacks against wireless networks while performing signal strength analysis to identify the location of a station or access point (AP).

Chapter 4 – Using Wireshark

Publisher Summary Wireshark provides insight into a computer network, which is useful when implementing protocols, debugging network applications, testing networks, and debugging live networks. Being able to see and analyze network traffic is very instructive. This chapter discusses the main components of the Wireshark Graphical User Interface (GUI), including main window, menu bar, tool bar, summary window, protocol tree window, data view window, filter bar, information field, and display information. The Summary window displays a summary of each packet (one per line) in a capture. One or more columns of summary data are displayed for each packet. The Protocol Tree window helps in examining the tree created by Wireshark from decoding a packet. The chapter also discusses the context-sensitive pop-up windows available in the Summary window, the Protocol Tree window, and the Data View window along with the various dialog boxes that are launched by the menus and toolbars. It shows how to perform basic tasks in Wireshark (e.g., capturing network traffic, loading and saving capture files, performing basic filtering, printing packets) using the advanced tools provided by Wireshark. Several command-line options supported by the Wireshark are also documented in the chapter.

Protecting Network Resources

This chapter focuses on security of the network-connected resources, such as servers and workstations. Many times theorganization looks only at securing its perimeter, while leaving its interior network open and unprotected. This hard-exterior-soft-squishy-interior approach is better than no security, but it is not the best approach. The best approach is through defense in depth, which is the practice of applying security measures at all levels of the network. Many security solutions are available for protecting network resources. Basic hardening should be performed on all network resources, from workstations, to servers, to routers, and switches. After basic hardening, regular patches and updates are required to ensure running the most secure software possible. Personal firewalls can serve as the first line of defense, providing logical access control based on the contents of network packets. After the network is secured, the defenses turn inward, to protect assets from viruses and spyware. The chapter concludes by suggesting file encryption to protect sensitive data even if the system or encrypted files should fall into the wrong hands.

Protecting Your Perimeter

This chapter examines methods to secure the network perimeter and provide administrator the access that is needed to administer the network. The Linux built-in fire-wall netfilter was covered extensively because of its power and flexibility as a free stateful firewall. In addition to iptables, several GUI front ends were looked at that allow managing the netfilter firewall without knowing the iptables command line syntax. With the perimeter secured, the next step is to establish a secured doorway, so that sitting at home and care of the network could be taken. It is necessary to have some type of firewall for protection on all unsecured connections. It is said unsecured––not Internet, intentionally––because any business partner, home user network, or the Internet are all considered untrusted. It means that there is no or incomplete administrative control over the security of the network connected to. Ultimately, there is no guarantee or proper security control of an untrusted network. The chapter states that having the Internet connection without firewall between a computer and the Internet makes odds very high of compromising. For other types of untrusted connections the odds may be better, but it is still gambling if steps are not taken to protect a network and its systems.

Testing and Auditing Your Systems

This chapter discusses the tools and utilities that can be empowered to locate the systems on a network using a variety of methods. The class utilities presented offer a broad spectrum of choices in complexity and features for discovery scanning. After identifying all the systems on a network, the logical step is to determine the security posture of those systems. Several automated security scanning tools are available that can check for a list of known vulnerabilities, and can make this task easier. This enables one to build a complete and accurate picture of systems security. The Microsoft Baseline Security Analyzer reports on weak security settings for Microsoft operating systems, rather than vulnerabilities. All of this collectively gives the information needed to complete the first step of securing a network (information gathering).

Configuring Snort and Add-Ons

When it comes to implementing a network intrusion detection system (NIDS) such a s Snort, the biggest factor in its effectiveness is its placement within the network. The value of the NIDS is in identifying malicious traffic, and obviously it cannot do that if it cannot see the traffic. Snort has a position as the lead open source IDS. As such, it enjoys several advantages. One advantage is the very large and diverse user base. This user base enables finding a lot of help and information on the Internet for running, configuring, and customizing Snort. Although Snort may not enjoy the cohesive turnkey nature of a commercial package, several utilities and tools can be assembled to convert Snort into an enterprise-class IDS. With no cost in software an industry-standard IDS can be made, with a large signature base and the ability to create custom signatures. The signatures can be automatically updated to keep them current, and several GUI front ends can be used to remotely configure and manage several Snort sensors at one central location. All this adds up to a lot of value and increased security, with no additional software cost.

Chapter 11 – Wireless Monitoring and Intrusion Detection

This chapter introduces the concepts of intrusion detection and monitoring, and discusses the ways in which they pertain to wireless networking. Beginning with the initial design for a wireless network, it focuses on the fact that security is a process that requires planning and activity, rather than a product shrink-wrapped at the computer store. Knowing that the network is under a heavy load can be a sign of an intrusion. Along with monitoring, dedicated intrusion detection software should be used to watch for specific attacks to the network. The software, using signature files that can be customized to look for specific attacks, will generate alerts when it finds a signature match in the traffic. The chapter discusses the ways to conduct a vulnerability assessment. It is critical to have a security policy in place that not only prohibits the use of unauthorized wireless equipment, but also educates users to the dangers of doing so. The chapter also deals with rogue Access Points (APs), possibly one of the greatest new threats to network security. Rogue APs can be placed by an attacker seeking access to your network, or placed by a well-meaning employee, trying to provide a new service. Either way, they offer attackers a direct and anonymous line into the heart of network. Intrusion detection and monitoring are the key building blocks in designing a secure network.

Installing Snort 2.6

This chapter discusses about choosing the appropriate operating system for use on a Snort sensor. It also explains the performance implications of the various components and subsystems of the physical sensor. Precaution has to be taken to harden Snort sensor to prevent it from being compromised, because it will be sitting at a critical point within the network. The chapter explains all the aspects regarding building a sensor, some real-world operating systems, and the pros and cons of each. It focuses the process of installing and configuring Snort. Integral to Snort installation and configuration is the underlying operating systems means for package management and the ways to install and keep a system up-to-date. The chapter explores the usage of apt-get, RPM, portage, and binaries. After installing Snort, it has to be configured properly, so it explains about the files included in the Snort distribution that help Snort do its job. It also describes the various preprocessor and output plug-ins, and their configuration directives.

Chapter 7 – Introducing Wireshark: Network Protocol Analyzer

Publisher Summary This chapter overviews Wireshark, its various features, and supporting programs. It covers the history of Wireshark, its compatibility with other sniffers, and its supported protocols and reviews the Wireshark GUI and the filter capabilities. The chapter covers the programs that come with Wireshark, that add additional functionality by manipulating capture files. It explores several scenarios for using Wireshark in network architecture. Knowing the segmentation of a network will help with placing Wireshark to capture the information that is needed. Wiresharks usage by a wide range of people, including network system and security administrators has also been explained. Wireshark can also be used by anyone on their own network. Although the application is robust and stable, cost-effective things can be done to improve the Wireshark experience. Finally, it exemplifies network troubleshooting methodology. The chapter states that it is a good practice to use this methodology every time to troubleshoot a problem.

Chapter 2 – Protecting Your Perimeter

Publisher Summary This chapter examines methods to secure the network perimeter and provide administrator the access that is needed to administer the network. The Linux built-in fire-wall netfilter was covered extensively because of its power and flexibility as a free stateful firewall. In addition to iptables, several GUI front ends were looked at that allow managing the netfilter firewall without knowing the iptables command line syntax. With the perimeter secured, the next step is to establish a secured doorway, so that sitting at home and care of the network could be taken. It is necessary to have some type of firewall for protection on all unsecured connections. It is said unsecured––not Internet, intentionally––because any business partner, home user network, or the Internet are all considered untrusted. It means that there is no or incomplete administrative control over the security of the network connected to. Ultimately, there is no guarantee or proper security control of an untrusted network. The chapter states that having the Internet connection without firewall between a computer and the Internet makes odds very high of compromising. For other types of untrusted connections the odds may be better, but it is still gambling if steps are not taken to protect a network and its systems.