In this excerpt of Chapter 4, Enterprise Network Instrumentation of Extrusion Detection, author Richard Bejtlich details common packet capture methods for a LAN and WLAN.
Consider the enterprise shown in Figure 4-1 (on page 2 of the PDF). It consists of a perimeter, DMZ, wireless LAN (WLAN) and intranet. All traffic is passed using Category 5e network cables, with two exceptions. Wireless clients use 802.11b and 802.11g media to speak to the wireless access point, and the perimeter router connects to the ISP router with a serial line. This diagram is a simplified network, so you can assume there may be more than three hosts in the DMZ, two wireless clients and two workstations per access switch.
Accessing traffic in each enterprise zone, with the exception of the WLAN, can be accomplished using one or more of the following standard methods:
- Hubs. A hub is a half-duplex networking device that repeats a packet on every interface except the interface that transmitted the packet. All hosts connected to the hub see each other's traffic. Hubs are the low-end means of capturing packets, because they introduce collisions through half-duplex operation. They are also frequently not engineered to meet reliability and uptime requirements found in enterprise-class hardware.
- SPAN ports. SPAN stands for "Switched Port Analyzer" and is also referred to as "port mirroring" and "port monitoring." A SPAN port is a port designated on an enterprise-class switch to mirror traffic received on other ports. SPAN ports are a popular packet collection tool because they preserve full duplex links, but there are often not enough SPAN ports available to fulfill every traffic capture need.
- Taps. A tap, or test access port, is a networking device specifically designed for monitoring applications. Network taps are used to create permanent access ports for passive monitoring. Taps sit between any two network devices, such as a router or firewall, two enterprise switches, or a host and an access switch. Taps preserve the full duplex nature of modern switched links.
- Inline devices. An inline device is a specialized server or hardware device with more flexibility and complexity than a hub, SPAN port or tap. Although previous traffic collection products also sit "inline," they are not full-fledged computers running general purpose operating systems. Security staff build inline devices to collect or manipulate traffic as it passes through the inline device itself.
Collecting traffic in the WLAN can be accomplished using the following three methods:
- Active participation. A sensor near a wireless access point (WAP) that joins an infrastructure mode WLAN has access to all traffic seen by the WAP. If Wired Equivalent Privacy (WEP) or another means of encrypting wireless traffic is employed, the sensor must be configured with the keys to participate in the WLAN. Traffic captured through active participation tends to look like wired Ethernet traffic to the sensor.
- Passive participation. Sensors may collect wireless traffic in a completely passive mode. By not joining the WLAN, the sensor sees all of the control and data traffic passed between the WAP and clients. If encryption is used, the sensor will not be able to see packet contents.
- Monitoring on the WAP. It may be possible to collect traffic directly on the WAP itself. This is certainly the case if the WAP is an in-house product built with a general-purpose operating system.
The remainder of this chapter introduces several novel ways to collect traffic that are not found in other security texts. I start by discussing a handful of innovative taps manufactured by Net Optics, Inc.
Extrusion Detection: Security Monitoring for Internal Intrusions
By Bejtlich, Richard
Published by AWP
ISBN: 0321349962; Published: 11/4/2005; Copyright 2006; Pages: 416; Edition: 1
Click here for more info or to buy the book!