Monitoring and Diagnosing Networks


Network Monitors

Network monitors, also called sniffers, were originally introduced to help troubleshoot
network problems. A network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. Promiscuous mode simply means that the network card looks at any packet that it sees on the network, even if that packet is not addressed to that network card.

Monitoring System Logs

Event logs are system logs that record various events that occur. Event logs comprise a broad category that includes some logs that are not relevant to security issues. Windows has several logs. The two most important logs for security purposes are the following:

  • Application – This log contains various events logged by applications or programs. Many applications will record their errors in this log.
  • Security – The most important things that you will find in the security log are successful and unsuccessful logon attempts. This log also records events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log.

Linux also has logs that are important to security:

  • var/log/faillog This log file contains failed user logins. You’ll find this log useful when tracking attempts to crack into your system.
  • /var/log/apport.log This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of a virus or spyware.


The term hardening is usually applied to operating systems. The idea is to “lock down” the operating system as much as is practical. Hardening is a general process of making certain that the operating system itself is as secure as it can be. In fact, it could be said that if you have not hardened the operating system, then any other security measures are going to be far less effective.

Working with Services

Services are programs that run when the operating system boots, and they are often are
running in the background without users interacting directly with them.

As a security administrator, you should regularly check all servers and make certain that
only necessary services are running on them.

  • File and Print Servers – These are primarily vulnerable to denial-of-service (DoS) and access attacks. DoS attacks can be targeted at specific protocols and overwhelm a port with activity. Make sure that these servers run only the protocols that are needed to support the network.
  • Networks with PC-based Systems – Make sure that NetBIOS services are disabled on servers or that an effective firewall is in place between the server and the Internet. Many of the popular attacks that are occurring on systems today take place through the NetBIOS services via ports 135, 137, 138, and 139. On Unix systems, make sure that port 111, the Remote Procedure Call (RPC)port, is closed.
  • Directory Sharing – Directory sharing should be limited to what is essential to performing systems functions. Make sure that any root directories are hidden from browsing.

Protecting Management Interfaces and Applications

The person running the administrative interfaces can make configuration changes to the system(s) and modify settings in ways that can have wide-ranging consequences. For example, a user who is able to gain access to the administrative tools could delete other users, set their own ID equal to the root user, change passwords, or delete key files.

To protect against this, access to management and administrative interfaces should be restricted to only those administrators who need it. Not only should you protect server utilities, but you should also even go so far as to remove users’ access to workstation utilities such as regedit and regedit32 that have administrative depth.


It is considered a security best practice to remove any software that is not needed.


A patch is an update to a system. Sometimes a patch adds new functionality; in other cases, it corrects a bug in the software.
If you are running a standalone system, you should elect to have updates automatically installed. However, in a network environment this is not the appropriate way to deal with patches. In a network environment, patches should first be applied to a single machine and tested.

Microsoft TechNet describes three types of patches:

  • A service pack is a periodic update that corrects problems in one version of a product. In addition to correcting known problems, service packs provide tools, drivers, and updates that extend product functionality, including enhancements developed after the product was released. Specifically, service packs are designed to get software users to the current code base for the product in question. This is important because the current code base is where developers update the code.
  • Updates are code fixes for products that are provided to individual customers when those customers experience critical problems for which no feasible workaround is available.
  • Security updates address security vulnerabilities. Attackers wanting to break into systems can exploit such vulnerabilities. Security updates are analogous to updates, but should be considered mandatory, and they must be deployed quickly.


User Account Control

User account control is a very important part of operating system hardening. It is important that only active accounts be operational and that they be properly managed. This means disabling unnecessary accounts. Most network administrators focus on domain accounts. Nevertheless, operating system hardening requires that you pay attention to local accounts as well.

  1. Any accounts that are not needed should be disabled. That is simple enough.
  2. All accounts must have passwords that meet your organization’s standards. Password requirements are not just for domain passwords; they are also for local passwords.
  3. Keep the principle of least privileges in mind: No account should have privileges in excess of the necessary job function.

All accounts that are not needed immediately, on servers and work-stations alike, should be disabled. Here are some types of accounts that you should disable:

  • Employees Who Have Left the Company
  • Temporary Employees
  • Default Guest Accounts



Some of the more common filesystems in Windows are:

  • File Allocation Table (FAT)
    • FAT was designed for relatively small disk drives.
    • Upgraded first to FAT16 and finally to FAT32.
    • FAT32 allows large disk systems to be used on Windows systems.
    • FAT allows only two types of protection: share-level and user-level access privileges.
  • New Technology Filesystem (NTFS)
    • Introduced with Windows NT to address security problems.
    • One of the benefits of NTFS was a transaction-tracking system, which made it possible for Windows NT to back out of any disk operations that were in progress when Windows NT crashed or lost power.
    • Files, directories, and volumes can each have their own security.
    • NTFS tracks security in access control lists (ACLs), which can hold permissions for local users and groups
    • Each entry in the ACL can specify what type of access is given, such as Read-Only, Change, or Full Control.
    • To see the version installed on a particular work-station, at the command prompt with administrative privileges type fsutil fsinfo ntfsinfo C:


Securing the Network

  • MAC Limiting and Filtering Limit access to the network to MAC addresses that are known, and filter out those that are not.
  • 802.1X Adding port authentication to MAC filtering takes security for the network down to the switch port level and increases your security exponentially. The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.
  • Disable Unused Ports All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.
  • Rogue Machine Detection A rogue machine could be an intruder in a neighboring office connecting to your wireless network or an employee adding an unauthorized machine by plugging directly into a network RJ45 jack. Rogue machines pose a serious security risk.


Security Posture

It is impossible to evaluate your security without having a baseline configuration documented. The baseline must represent a secure state.

In other words, it is not just the current state of your network, but how it addresses specific compliance issues. Is your network in compliance with HIPAA, PCI, or other relevant regulatory standards? What is the configuration of network security devices (intrusion detection systems, antivirus, and so on)?

Continuous Security Monitoring

Continuous monitoring means exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.

Security Audits

A security audit is an integral part of continuous security monitoring. Security audits can be a check of any aspect of your security, including the following:

  • Review of security logs
  • Review of policies and compliance with policies
  • A check of security device configuration
  • Review of incident response reports

The scope of the audit and its frequency are determined by the organization. These parameters are determined by security needs and budget.


Setting a Remediation Policy

Policies must include a remediation policy. When a gap in the security posture is detected, it should first be classified, and then a remediation plan must be implemented. The specifics of how you classify and respond to a gap will vary from one organization to another. One possible classification system is given here:

  • Minor This is a deviation from the security baseline that does not pose any immediate threat to security.
  • Serious This is a deviation that could pose an immediate threat, but the threat is either so unlikely or so difficult to exploit as to minimize the danger.
  • Critical This is a deviation that poses an immediate threat and that must be addressed as soon as possible

Reporting Security Issues


  • Alarms are indications of an ongoing current problem currently. These are conditions to which you must respond right now.
  • A notification system should be in place that immediately notifies appropriate staff. Once the issue is addressed, those staff members must have a procedure in place to report the specifics of the incident, and how it was addressed, to management.


  • Alerts are issues to which you need to pay attention but are not about to bring the system down at any moment.
  • Alerts can also refer to industry alerts. Many antivirus software vendors provide alert services that will email you when a new attack is found or is increasing.
  • When a security professional receives such an alert, that information can be communicated both to management and to the staff, as appropriate.


  • Refers to trends in threats.
  • The term can also refer to trends in your organiza-tional security profile. Are audits finding an increase in compliance with software policies?

Differentiating between Detection Controls and Prevention Controls

Some security controls are implemented simply to detect potential threats. Others are designed to prevent or at least minimize such threats.

Security controls:

  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)
  • Honeypot, a computer that has been designated as a target for computer attacks.
    • Enticement is the process of luring someone into your plan or trap. You might accomplish this by advertising that you have free software, or you might brag that no one can break into your machine. If you invite people to try, you’re enticing them to do something that you want them to do.
    • Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s