Network management Toolkit

Strengthen your network defences

Tags:
Packet Sniffer,
IPSec,
Network Security,
Encryption

Brien M Posey Tech Republic

Published: 30 Apr 2003 15:45 BST

Network isolation
If your company is very big, then there's a good chance that you have a Web server that hosts the company's Web site. If this Web server doesn't require access to a back end database or to other resources on your private network, there's no reason to place it on your private network. Why run the risk of someone using a Web server as an entry point to your private network when you can fix the problem by isolating the server on its own network?

If your Web server does require access to a database or to some other resource on your private network, I recommend placing an ISA Server between your firewall and the Web server. Internet users will communicate with the ISA Server rather than directly with the Web server. The ISA Server will proxy requests between users and the Web server. You can then establish an IPSec connection between the Web server and the database server and an SSL connection between the Web server and the ISA Server.

Packet sniffers
After you have taken the necessary steps to secure the traffic flowing across your network, I recommend occasionally using a packet sniffer to monitor network traffic. This is a precautionary step that allows you to see what types of traffic are actually present. If you detect unexpected packet types, you can identify where those packets are coming from.

The biggest problem with packet sniffers is that hackers use them as tools. At one time, I thought it was impossible to detect someone that was using a packet sniffer on my network because of the nature of packet sniffing. Packet sniffers simply watch traffic flowing across the wire and report the contents of each packet. Since packet sniffers don't transmit packets, how could you possibly detect them?

It's actually easier than you might think to detect packet sniffing. All you need is a bait machine, which should be a workstation that no one but you knows exists. Make sure that the bait machine has an IP address but is not a part of a domain. Then, place the bait machine on the network and generate some packets. If someone is sniffing the network, the sniffer will pick up the packets that the bait machine produces. The sniffer will know the machine's IP address, but not its host name. Usually, the sniffer will do a DNS lookup to try to determine the machine's host name. Since you are the only one who knows about the machine, no one should be doing DNS lookups on the machine. Therefore, if you check the DNS logs and see that someone has been doing DNS lookups on your bait machine, there's a good chance that the detected machine is sniffing the network.

Another step you can take toward preventing sniffing is to replace any existing hubs with VLAN switches. The idea is that these switches create virtual networks between the sender and the recipient of a packet. The packet no longer flows to every machine on the network; instead, it flows directly to its destination. This makes it difficult for someone who might be sniffing the network to get anything useful.

These types of switches have another benefit as well. With a standard hub, all of the nodes fall into a single collision domain. This means that if you have 100 Mbps of total bandwidth, it's divided among all of the nodes. However, with a VLAN switch, each virtual LAN has a dedicated amount of bandwidth it doesn't have to share. So a 100 Mbps switch could potentially handle many hundreds of megabits per second at a time, all on different virtual networks. Implementing VLAN switches will improve both security and efficiency.

Editorial disclaimer: The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

------------------------------------------------------------------------------
Author's note
The idea behind Microsoft's security philosophy is that you should focus on each of the five areas individually, as if each was your only line of defence. By doing so, you'll ensure that each area is as secure as it can be. You'll also ensure that if one of the defence layers is compromised, the other four layers are still intact and will protect your network against a full-blown security nightmare. For more information about the other areas you can focus on to increase network security, see the articles below. (You'll need a TechProGuild subscription to access them. Click here for a trial subscription.)