Information Security

Activate your FREE membership today  |  Log-in

  • Visit other TechTarget ANZ sites: 
Home  >  Articles  >  Q&A special: Three common security issues explained
Posted
Jul 3, 2009
 |  By:  Mike Chapple,

Q&A special: Three common security issues explained

Tools: Print article RSS Feeds
Bookmark and Share

Welcome to this Q&S special, in which we cover three issues:

Q: I am setting up an office network and have some security concerns. The office comes with a direct line from an ISP, which is shared with my office, another office and a house on the same property. I want to make sure I can use this line completely securely, without the risk of packet sniffing, usage monitoring, etc. Can you explain how to create a secure network through a shared Internet connection?

A: My best recommendation on how to create a secure network through a shared Internet connection is to treat the network on the property just like you would the Internet -- assume that anything you send over it unencrypted can be monitored. If you're sharing an Internet connection with others, there's really no way to stop them from seeing your network traffic. What you can do, however, is use online packet encryption, so when they eavesdrop, they won't be able to make heads or tails of it.

First, purchase a small firewall/router combination unit and place it at the point where your office connects to the property network. This simple step will stop others on the network from accessing the systems on your network. You should be able to pick up one of these devices for less than $100 at any electronics store.

Next, encrypt any traffic that leaves your office network headed for the Internet. The easiest way to do this is through the use of a Virtual Private Network (VPN). If the office is a satellite office of a larger company, you can probably connect to a corporate VPN, preventing those on the property network from decrypting your Internet traffic.

If a VPN is not an option, you'll need to encrypt every service you use. For example, when browsing the Web, be sure to connect only to secure websites that begin with the https:// prefix. Similarly, configure your connection to your email server to use SSL-secured connections. If you're using other services, consult the documentation to determine how to configure encryption for them as well.

Really, your situation isn't much different from that of anyone purchasing an Internet connection, other than the fact that you know the people who may attempt to eavesdrop. Taking a few simple security measures should allow you to use the shared Internet connection privately.

Q: What are the current views on networking with regards to gathering of forensic data over a network, and forensic analysis of network activity?

A: Forensic analysis of network data allows investigators to reconstruct network activity during a particular period of time. These techniques are commonly used to investigate individuals suspected of crimes and to reconstruct the sequence of events that took place during a network-based information security incident.

There are many network forensic analysis tools you can use, several of which may already be present on your network. Here's a rundown of some of the most common network forensic analysis tools:

  • Intrusion detection systems (IDS) offer a security-based perspective on network activity. They monitor the network for suspicious traffic and alert administrators when such traffic occurs. The records generated by an IDS play a valuable role when reconstructing a security incident.
  • Packet capture tools allow you to record every bit that travels on your network or to limit the data captured so only data that has particular connection characteristics (such as 'to' or 'from' a specific system) is allowed. Due to the large volume of data generated by these tools in a short period of time, it's not feasible to retain packet capture data for an extended length of time.
  • A NetFlow data collector records data on each network connection passing through the monitored device(s). This data includes the source, destination and volume of data passed. While it's not possible to preserve packet flows for an extended period of time, NetFlow data may be preserved for a longer period as it only contains summary data about each connection.

These three tools are commonly available on most networks and provide an excellent starting point for a network forensic investigation.

Q: I recently noticed an unusual spike in TCP and UDP flows from a single internal source to multiple destinations. What steps should I take to determine the type of traffic this represents?

A: In order to analyse network traffic, check the destination port number using the network monitoring tool that identified the spikes. In many cases, this will tell you the type of TCP and UDP traffic you're seeing. For example, traffic on port 80 is normally HTTP traffic, while traffic on port 443 is normally HTTPS traffic. You can consult the Port Database if you encounter a port you don't recognize.

If that doesn't do the trick, you'll need to sniff the network traffic to identify it. You can do this by connecting a computer running a packet sniffer to your network and leaving it running during one of the spikes. My favorite tool for this job is Wireshark. For more information on using Wireshark, see this tutorial.



© 2010 TechTarget ANZ. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this website constitutes acceptance of the TechTarget ANZ Terms and Conditions and Privacy Policy.

TechTarget ANZ sites: SearchCIO.com.au | SearchNetworking.com.au | SearchSecurity.com.au | SearchStorage.com.au | SearchVoIP.com.au

WF Online community sites: ElectricalSolutions | ElectronicsOnline | FoodProcessing | InMotionOnline | LabOnline | ProcessOnline | RadioComms | SafetySolutions | SustainabilityMatters | Voice&Data

Copyright © 2010 Westwick-Farrow Pty Ltd. All rights reserved.
About Us | Contact Us | TechTarget