Performing a Security Audit with OptiView | NETSCOUT

Performing a Security Audit with the OptiView XG Portable Network Analysis Tablet

Most networks are designed to be extremely secure from the outside and less secure from the inside. Some networks, however, such as those involved in national security, financial institutions, utilities, or any organization concerned with compliance issues, need to be extremely secure from the inside as well. These networks would be found, for example, in the types of facilities where regular sweeps for electronic eavesdropping devices are performed.

While these networks include tools for full-time monitoring of security issues, security experts use the OptiView XG to add another layer of auditing. By performing unannounced, random audits of a different type than provided by the full-time monitoring tools, these experts add additional uncertainty for those who wish to gain unauthorized access. The OptiView XG also provides a “third party” check of ongoing security procedures.

The NETSCOUT OptiView XG is well-suited for this application, with a wide variety of testing capabilities (physical layer testing, passive monitoring, device discovery, and SNMP/RMON), connection technologies (copper /fiber/ wireless), all in a portable, battery-operated package. This note describes the types of tests which the OptiView XG can use to audit network security.


Active or Passive Testing?

Accessing the network for the purpose of testing is dependent on the design of the network. Switches make passive monitoring of a network difficult as each port of the switch is isolated from its neighbors. In order to effectively monitor a switched network, the OptiView XG needs to be connected in a way that allows it to see traffic other than that specifically directed to the OptiView XG. The most straightforward way to do this is with port mirroring or spanning, where the switch is directed to forward traffic from selected ports to the port connected to the OptiView XG analyzer. This requires access to the switch and knowledge of how to set it up. Another approach is to install taps or utilize the in-line capabilities of the analyzer on critical links to allow the OptiView XG to collect statistics on the traffic and eavesdrop on desired conversations. This does require some forethought in order to design and install the taps in the most useful locations. Once installed, it becomes very easy for the auditor to plug the OptiView XG into the network and begin observing and collecting traffic.


Active tests can provide much more information in a switched network, and provide some of the most powerful capabilities of the OptiView XG. However, active tests can be observed by other devices on the network and are sometimes frowned upon for security applications as they can be sensed by a sophisticated user on the network. This could allow such a user to stop unauthorized activity before being observed by the OptiView XG. Practically, this could be very difficult because by the time the user observed the OptiView XG, they would have also been observed. Still, many security auditors prefer to be completely invisible in their efforts and eschew active testing.

Fig1

Figure 1. The OptiView XG can be set up to be completely “silent” on a network


Network Access

One of the simplest and most effective methods for securing a network is to not allow unauthorized devices on it. One way of doing so is to implement a MAC list – a list of hardware addresses that are allowed onto the network. Any other device attempting access will be denied a connection and “locked out”. Testing this with the OptiView XG is straightforward as the MAC address can be changed from the network port configuration panel, effectively “spoofing” another device. By seeing that an allowed address can connect and other addresses are rejected, the user knows that the MAC list access is working properly.


A more sophisticated approach is to use the IEEE 802.1x authentication. In this method, a password is required from the device to gain access to the network. The device is granted access long enough to get the approval of an 802.1x server. If access is not granted, the port is shut off and the device is “locked out”. The OptiView XG supports 802.1X through the Windows Authentication component, which allows an authentication certificate to be entered.

Fig2

Figure 2. OptiView XG setup screen for 802.1x


Traffic Analysis

The most straightforward and traditional way of looking for abnormalities on a network is passively listening. In this mode, the device analyzes and passively collects the traffic that it sees on its connection. As noted above, this approach provides limited visibility in modern networks except when using spanning or taps. This method has the advantage that it is passive which means that it is essentially undetectable to other devices on the network. Here is what the OptiView XG can discover about the network with this method:


Applications and Protocols

The OptiView XG can categorize the types of traffic it observes into different categories at different layers. For example, at layer 2 you can break out IP and AppleTalk, at layer 3 TCP and UDP, and at higher layers HTTP, FTP, SMTP, etc. There are a number of things that you can look for. First, and simplest, is the mere existence of a protocol. More often than not, Network Engineers are shocked to find unexpected protocols operating on their networks (many even dispute the OptiView XG’s findings). The OptiView XG can identify which devices are sending these protocols.

Fig3

Figure 3. OptiView XG identifies protocols by layer


Second, while some protocols may be acceptable on the network, it may be suspicious to see those protocols coming from workstations. For example, a PC generating routing protocols such as OSPF or RIP would be unexpected and could indicate an attempt to intercept a conversation. Third, the volume of such frames might also be suspect. A workstation will generate ARP frames, but if it is doing so regularly and in large volume, it may indicate some sort of infection. In a similar fashion, a large number of ICMP (Internet Control Messaging Protocol) frames coming from a PC might indicate a port scan looking for vulnerabilities.

Fig4

Figure 4. OptiView XG can show conversations between workstations and other devices


Talkers / Conversation Pairs

Tracking who is talking to who is also a good way to find suspicious activity. OptiView XG can display MAC conversations and IP conversations, and will even display devices by DNS names. This makes it very easy to see which devices are talking to devices off the local network and who they are talking to.


Fig5

Figure 5. Drilling in on conversations using a specific protocol.

The Top Conversation tests will also show information about broadcast frames. Broadcast frames can tell you a lot about what is happening on the network. Because they are “broadcast” throughout the network or at least VLAN, it is much more likely that the OptiView XG will be able to see them without a tap or span port. Network components, such as switches and servers, are prodigious broadcasters. But end user workstations typically generate broadcasts only when entering the network or setting up conversations. Many viruses and attacks use broadcast frames to learn about other devices on the network and how to exploit their weaknesses. Therefore, a user generating the occasional broadcast is perfectly normal – one that is generating them regularly is suspicious.


Fig6

Figure 6. A list of broadcasters and the number of broadcast packets generated.


Free string match / packet capture

Capturing and decoding the actual conversations emanating from a device are the ultimate way to decipher what is going on. OptiView XG makes this easy to do. Once the device, conversation, or protocol of interest is identified, just a couple of touches of the screen allow the frames to be captured and stored. The optional ClearSight™ Analyzer software can then decode the frames to see exactly what is in them.

It should be noted that other tools would be necessary to decode a conversation that is encrypted.


Fig7

Figure 7. OptiView XG packet capture set up. This can be automatically configured by selecting the areas of interest from a list of active devices and protocols.

Packet capturing can also be enhanced by setting up the OptiView XG to capture frames if it sees a user-defined word or pattern within the frame. While there are other tools that can perform a match of the pattern at a predefined location within the frame, the “free string match” of the OptiView XG allows it to find the pattern anywhere within the frame.


Active Tests

Active tests greatly expand the vision of the OptiView XG and can find many things that passive monitoring cannot. The only real downside is that these tests could potentially signal to an attacker that they are being hunted. However, the amount and type of traffic being sent is small and since the OptiView XG is not well known outside the network management community means that it is unlikely the tests would trigger any alarm bells.


Device Discovery

While listening to traffic can help who see who is on the network, there are two significant limitations to this approach. First, devices that don’t talk won’t show up. Second, in a switched network, devices that are talking won’t show up unless you’re connected to a trunk via a tap or using port mirroring.

The active Discovery tests in the OptiView XG overcome these difficulties. The OptiView XG uses a number of techniques to probe the network and exact a response from almost any device on the network. (While it would be theoretically possible to connect to a network without responding to the OptiView XG’s queries, it would require a great deal of sophistication and make it nearly impossible for the device to participate.)

Fig8

Figure 8. OptiView XG discovery screen.


Discovered devices are classified by type, such as servers, printers, and wireless devices. Reports can be generated for quick comparison of these devices to a list of known good ones. With the ability to export the discovered devices to a CSV file, the discovery information can be imported into other systems for analysis. Unexpected servers or wireless devices on a network should be investigated immediately.

The OptiView XG’s range of discovery can be controlled by the operator. This controls the size of the list discovered, as well as the time required and the amount of traffic generated. This sort of discovery is typically done by individual VLAN but can be extended as far as is desired.


Network Mapping and Unknown Switches

The network map automatically provides a graphical representation of devices in the network and their interconnections. This is useful to see exactly where devices reside on the network and how they are connected. For example, by selecting particular subnets, a map can be created that shows where a subnet relates to a site, a building, or a floor of a building. By selecting the Report button, you can instantly create a graphical map of the network that can be saved as a Visio drawing file.
Switches, routers, hosts, and other devices are color coded for easy identification, as are link representation. Information presented on devices and links is customizable. The map will also show the presence of “unknown switches” – these could be authorized interconnect devices with no management (SNMP) capabilities, but they may be unauthorized devices.

Fig9

Figure 9. Network map.



Switch Analysis

If the user of the OptiView XG has access to the switches in the network, they can get a further degree of visibility using the OptiView XG’s Device Detail tests. In order to have access, two conditions must be met. First, the management address (port) of the switch must be available on the network which the OptiView XG is connected to. In many cases, these are actually on a separate VLAN than the workstations connected to the switch. Second, the OptiView XG must be programmed with the community string, the password required to access the SNMP (Simple Network Management Protocol) within the switch. If both are met, then the tests below can be run.

In order for a device to see or generate any traffic on the network, it must be connected to an active port of the switch. The OptiView XG can query the switch and get a list of all the active ports. This could be compared to a “known good” list of active ports from a prior test. Any ports that are currently active which were not before indicates a new device on the network.

The OptiView XG can also provide details about which device or devices are attached to a port. Typically, only one device is used per port – more than one could indicate an unauthorized device (see figure 10). This also makes it easy to track down an unauthorized device even if it is the only one the port. If someone has placed an unmanaged interconnect device on the network (some device to which multiple MACs are attached, wired or wireless) these will show up as “unmanaged devices”. The upstream switch port for these will be identified, allowing that port to be shut down for further investigation.The OptiView XG can also show utilization levels on a port which can help track down devices that are generating excessive broadcasts, which, as mentioned above, could be suspicious.

Fig10

Figure 10. OptiView XG can list devices attached to each switch port.


Device Detail

The Device Detail tests let you extract information about a specific device, such as its MAC address, DNS name, sup- ported protocols, and whether it supports IPv4, v6 or both. You can also perform a port scan (either IPv4 or v6) on the device to assess vulnerabilities.

Wireless

Wireless networking adds a great deal of flexibility and convenience, but can also create new vulnerabilities. OptiView XG can help you find those vulnerabilities.

An unsecured wireless Access Point (AP) can be an open door into your network. OptiView XG can find APs from both the wired and wireless side of your network. If the AP is unauthorized, it can be tracked down to a specific port using the switch detail on the wired side or physically using the locate function in the wireless side. Security settings of the AP can also be validated.

Fig11

Figure 11. OptiView XG can discover wireless devices and categorize them.


OptiView XG can also discover devices on the wireless side of the network, much as it does on the wired side. Logs of devices can be kept and compared to quickly identify new devices since the last audit.


Spectrum Analysis

A software option for the OptiView XG provides security professionals the vision they need into the hidden world of Wi-Fi, with an ability to see the spectrum in a visible and intelligible format. This lets you see, monitor, analyze, and manage all the RF sources and wireless devices that influence a Wi-Fi network’s performance and security, even if those devices are unauthorized or transient. This spectrum analyzer software is not a replacement for a purpose-built product, but will show devices interfering with or attempting to transmit in the 2.4 and 5GHz bands.

SNMP

SNMP allows the OptiView XG access to information in switches as described above, however, it can also be a security risk. Leaving devices with SNMP enabled and default community strings (password) protection can leave them open to all manner of attack including reprogramming them entirely. To prevent these problems, the Network Administrator can implement some mix of the following:

  • Disable SNMP entirely (which, however, limits the admin’s ability to manage the device)
  • Upgrade from SNMPv1 or v2 to the more secure SNMPv3
  • Change the community strings to something more secure
  • Allow access to the SNMP agents only through a separate management VLAN
  • Allow access to the SNMP agents only by a predefined list of devices
  • OptiView XG can test and verify all of these.


    IPv6

    While no one seems to be able to predict when IPv6 will be widely adopted within enterprise networks, it is actually already here, being shipped in a variety of products and operating systems. All a user has to do is plug in such a new device, and you’ve got IPv6 on your network. Government agencies are being driven by theFederal Acquisition Regulation to require all new hardware to be certified IPv6 capable. This will boost the number of IPv6 machines on government networks.

    The OptiView XG can run all of the tests above on an IPv6 network, but also includes specific tests designed to address IPv6 security concerns.

    The first thing you will want to know is how much IPv6 traffic is on your network. The passive protocol test mentioned above will show you instantly if any IPv6 traffic is present, and which devices are generating it. You can use Top Conversations to see which devices are communicating with one another using IPv6.

    Next are a suite of active IPv6 tests. The IPv6 Devices test uses the active tests similar to the ones described earlier to find all the devices which are IPv6 capable – whether or not they are actively generating IPv6 traffic.

    Next is the Router Advertisements test. Non-routers advertising subnet addresses that should not exist could be caused by router or host configuration errors or could be an indication of malicious activity. By sending fake router advertisements, an attacker pretends to be a router and all other hosts on the subnet will send traffic leaving the subnet to the attacker host resulting in a man-in-the middle attack.


    Fig12

    Figure 12. OptiView XG IPv6 Test suite, listing devices discovered on the network


    Last is the Tunneling report. Tunneling allows IPv6 to run on IPv4 networks. Tunneling is supported in every OS and can often enable itself. Tunneling is not a problem per se, but it can open your networks to vulnerabilities as it can operate in an encrypted manner with anonymous addressing. Tunnels often go undetected through firewalls and intrusion detection systems (IDS). By touching the Tunneling tab, OptiView XG will show all the devices communicating with one another using tunneling plus the type of tunneling being used.

    By looking at the type of tunneling being used, and who it is being used with, you can assess the level of risk. Tunneling between two devices on the local network is not suspect, but using tunneling to communicate with devices outside the network would infer a higher risk. Teredo tunneling is commonly used for home connections to the internet, by making a hole in the firewall and allowing NAT traversal.

    If you observe a local tunnel within your intranet there is little risk but if you have a local device with a tunnel endpoint outside of your network, it may allow access to the internal network from the intranet which will probably be unprotected by firewalls or intrusion detection systems.


    Reports

    In addition to providing the information noted above, OptiView XG can generate reports of that information for easy storage and comparison during future audits. Reports are provided in both PDF and HTML format with hyperlinks for ease of use. These reports can be saved on the OptiView XG or the local PC, using the Remote UI.

    OptiView XG Security

    The OptiView XG is designed to support work in secure environments. User accounts on the OptiView XG control access to tests and sensitive information such as passwords stored in the instrument. Each account can be set up with the required level of access. Remote control, if needed, is provided through a proprietary communications protocol using a remote user interface application which can be installed on the client computer.

    Fig13

    Figure 13. OptiView XG user accounts setup screen.


    The OptiView XG is also designed to be a secure client. When accessed using the touch screen or the management interface, the network port can be locked down to isolate the Windows installation on the OptiView XG from being accessed from the network being monitored. This eliminates the chance of the OptiView XG being infected by viruses or hackers


    The SSD hard drive used by the OptiView XG is easily accessed by removing two screws on the bottom of the unit. This allows the security officer to conduct a complete audit of the network and remove the OptiView XG while leaving sensitive data(the hard drive) secured at the site. When returning for future audits, the secured hard drive can simply be installed back into the OptiView XG; the results from the previous audit can then be compared with the current status of the network.

    Alternatively, US government agencies and certain treaty countries may purchase the “US DOD SECURE” version of the OptiView XG. This product features a hardened OS and operating software, and has been named to the U.S. Department of Defense (DoD) Unified Capability Approved Products List (UC APL) after certification by DISA (Defense Information Systems Agency) for interoperability and information assurance (IA).


    Summary of OptiView XG Security Tests

    TEST / FEATURE VALUE COMMENTS
    Modify MAC Address
  • Test MAC-access control security
  • Allows spoofing of MAC addresses
    802.1x Login
  • Test 802.1x security
  •  
    Protocols
  • Find unauthorized protocols and applications on the net- work and who is sending them
  • Find devices sending unexpected protocols
  • Find devices sending high volumes of unexpected protocols (i.e. broadcasts)
  • Find IPv6 traffic
  •  
    Top Conversations
  • Determine who local workstations are talking to
  • Find IPv6 conversations
  • Network names of off-network devices
    Packet capture
  • Gather packets for in-depth analysis (decoding)
  • Free String Match lets you find any pattern anywhere in the frame
    Device Discovery
  • Inventory all devices on the network
  • Determine if SNMP devices are accessible from the network
  • Visibility beyond the switch or router; finds devices that are not transmitting
    Device Detail - Interfaces
  • Find all active ports on the switch
  • Find devices connected to each port
  • Find where a device is connected
  • Validate SNMP security settings
  • Find ports with multiple devices connected

    Summary of OptiView XG Security Tests(continued)

    TEST / FEATURE VALUE COMMENTS
    Device Detail - Overview
  • Determine device name(s), supported protocols, IPv4 and v6 support
  • Also queries devices off the local network.
    Wireless APs
  • List APs and determine if they are secured
  • Find unauthorized APs
  • Supports 802.11 a/b/g/n/ac
    Wireless Clients
  • Find unsecured users
  • Find unauthorized users
  • Supports 802.11 a/b/g/n/ac
    Wireless Spectrum
  • Find devices (sources of interference or non-802.11 wireless devices) operating in the 802.11 bands (2.4GHz and 5GHz)
  •  
    IPv6 Devices
  • Determine if IPv6 devices are operating on the network
  • Visibility beyond the switch or router; finds devices that are not transmitting
    IPv6 Router Advertisements
  • Discover devices acting as routers (potential rogue devices)
  •  
    IPv6 Tunneling
  • Who is using tunneling
  • Who they are talking to
  •