Network Monitoring on a Budget
Posted: August 21st, 2009 | Author: karol | Filed under: Network, Security | No Comments »
Download this page in PDF formatIn this post, I want to discuss how to monitor a small network without spending big money. The goal of such monitoring is primarily security. We want to look for signs of presence of attackers and malware on our network. It is quite a daunting task, especially if there is no dedicated budget and no dedicated personnel (which is what one usually finds in small, and sometimes even not so small institutions). Below, there are some of the things that I have tried. If you have other ideas, please share them (send a comment).
Know your network
To monitor the network, you need to know its topology, and you need to have a full inventory of nodes present on the network. While this is very obvious, I have seen quite a few networks in my career without absolutely any form of documentation or description.
Network inventory should contain not only IP addresses, but also MAC addresses of every device/node connecting to your network. Without such inventory, and without knowledge about network topology, there is no monitoring.
Arp monitoring
The best way to look for unauthorized devices on your network is to use arp monitoring program. I use arpalert , but there are a few other similar open-source programs.
Installation and use or arpalert is very easy. All you need is a Linux running computer. If you do not have one present on your network, find an old obsolete desktop or laptop and install Linux and arpalert on it. If you do not install graphical user interface, and you certainly do not need one for arpalert, Linux can be easily installed and run on really old hardware. I run Linux on 9 years old boxes. Connect this computer to your network where it can see all arp requests, and start monitoring.
You should create a whitelist for arpalert of IP/Mac address combinations that are authorized to be present on your network. This way you will only be alerted to unauthorized presence.
Arpalert is a great tool for small networks. It may be more difficult to use it on networks with significant segmentation (i.e. with many subnets and/or vlans).
Honeypots
Honeypots are a very useful in alerting to presence of attackers or malware on your network. They are also very inexpensive to set up and to use. All you need is a spare computer. It can be quite an old computer. All you really need is a some disk space for logs, and, of course, a network adapter. If you have more old hardware lying around, you may even consider putting more than one honeypot on your network, such as one on each subnet.
There are many open-source honeypot projects. There are also some commercial ones. If you stick with open-source projects, honeypot software comes free (although you should consider donating to the project, if possible). Most honeypots run under Linux, however, there are some that will work under Windows, too. Myself, I have used nepenthes, and honeyd – both under Linux.
One can configure a honeypot to emulate a whole network or just a single host. For our monitoring purposes a single host should be sufficient. Test your honeypot installation before putting it into production. Run port scan against your honeypot host. This should get logged by the honeypot, if everything works as intended.
With your honeypot in place, remember to check the logs frequently. Without it, your honeypot is completely useless.
Packet sniffing
In the old days when network hubs were commonly used, sniffing network traffic was trivial. This is more difficult to achieve with network switches.
If you have so-called managed switches on your network, it is likely that you can find on them so-called “mirroring port”. You can configure the switch to copy (mirror) traffic on some port (or some ports, sometimes you can even copy traffic from all ports) to this designated mirroring port. Now, all that you need is to connect to this port a computer system running some network analyzing software. Again, you will find a large selection of open-source programs for network traffic analysis. Depending on your needs, this could be Snort, Wireshark, tcpdump. or anything else that can capture packets and perform their analysis.
If your switches are of a non-managed variety (also called “dumb switches”), your only option for network sniffing is to use a passive ethernet tap. Passive ethernet tap allows you to mirror traffic on an ethernet port. You can find instructions on the web for do-it-yourself network taps for fast ethernet. However, I recommend that you use a commercial tap. The main problem is that taps cause signal loss. Do-it-yourself simple taps are not powered, and this may lead to signal degradation. Commercial taps are powered and have amplifier circuitry to avoid any signal loss. You can find good commercial taps for under $200 for fast ethernet (i.e. 100 megabit ethernet). I do not believe that it is even possible to build yourself a network tap for gigabit ethernet. Commercial taps for gigabit ethernet are available but they do not come cheap. It may be difficult to find one under $1000.
There are techniques of ARP poisoning (also known as ARP spoofing) that allow one to sniff network traffic intended for other hosts (this is what hacker might do when he gets on your network). I do not recommend that you use these techniques for sniffing traffic. If things do not work exactly as intended, ARP poisoning may lead to packet loss, and possibly other undesired effect on your network.
KISMET
If you administer wireless network, you should be using KISMET. KISMET is absolutely the best tool for monitoring wireless networks. I use it to look for rogue access points, and to check a list of clients associated with my access points.
You need a laptop with Linux to use KISMET. You could also use KISMAC tool on a Mac laptop (KISMET can also be compiled and used under Mac OS X). While it is possible to run KISMET on Windows, there is only one wireless adapter that is supported which makes Windows pretty much a useless platform for KISMET.
Again, you can use some older laptop with KISMET. If the wireless card already present in the laptop is not supported by Linux and/or KISMET, buy a PCMCIA or a USB wireless card that is supported (consult KISMET’s web site for supported cards).
Analyze network bandwidth use on hosts
I have used IFSTAT to collect and to analyze network bandwidth use on some hosts on my network. I even wrote scripts to send collected data to a web server and display them there in a form that is easy to spot trends and/or anomalies (see my previous post on this subject).
However, I am not sure whether such monitoring of network usage would be very helpful in spotting illegal activity. An attacker or a malware program would have to be sending some sizable amount of data through the network interface for their activities to stand out in IFSTAT collected data. This may be easier to spot if a very fine collection window is used (I collect IFSTAT values in 10 minute intervals), however this would generate a vast amount of data that may be difficult to analyze.
Anyway, I have been using IFSTAT for awhile now, and I am listing it here as a tool that may be of some help in network monitoring.
Other ideas?
What other tools do you use? Please share your experience and leave a comment below.
Leave a Reply