Staying on top with ntop

People have been complaining that not enough bandwidth is available on the lab network for performing testing. To get management to spend some extra money on a faster connection, we needed proof that in fact there is not enough bandwidth.

The lab network consists of a cable modem connection to the Internet. The cable modem connects through a firewall to an internal switch. From the switch multiple internal networks are connected. We needed to find a solution with the capability to easily track network statistics.

Within a short time a solution was theorized consisting of an old Dell laptop, Linux Mint 4.0 Live CD, and ntop. Using these tools, we were able to setup an awesome monitoring station.

By now you are asking what the heck is ntop, well check it out, ntop is a network traffic probe that shows network usage. ntop is based on libpcap and written to virtually run on every Unix platform and Win32. Users use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status and statistics. That sounds awesome right - well it is.

We used Linux Mint because, why not, somebody in the office had just downloaded it and wanted to try it out. Linux Mint is known to have excellent hardware support which is a good thing when using old hardware. Plugged the laptop into an empty switch port and turned on port mirroring in order to capture all the traffic on the network.

Install process:

- Boot machine with the Linux Mint CD

- Use Synaptic Package Manager to install ntop version 3.2, the current version in the Debian tree

- Part of the installation uses an init script to get the groundwork completed

- start ntop; ntop needs to be run as root from the command line. (sudo ntop -w 54321)

54321 denotes the port to run the the web server on that displays. As a side note, you can also use -W to create an https server ifsecurity is more of an issue.

ntop gives all sorts of stats like total bytes/packets sent and received, list all hosts that have sent packets, organizes traffic by application and protocol, and a whole host of other stats. Using the Round Robin Database plugin, you can keep detailed, long term statistics, and can print out nice fancy graphs. Hopefully with our new data statistics from ntop we will be upgrading the Internet connection.

CyberWars

Photo courtesy of altemark
Reading the latest news about Project Chanology, defined as a digital assault on the Church of Scientology, I amazed how people are using the Internet to spread their message. Here you have a site YouTube that lets people upload videos of anything they want. What a great creative outlet, I even admit I am one of the YouTube junkies. I mean, just the other day USA Today had a story about YouTube hooking up with World economic forum:

“What is different is the venue. The forum is not easy to attend and not cheap, either, but by linking up with YouTube, the forum is providing numerous clips of its sessions and speeches for all to see, hear and comment on.”

Through YouTube people have access to information they did not before, of course that can be said about the Internet in general. Now you find out YouTube is being used to instigate a cyberwar. It started when a video of Tom Cruise talking about Scientology was uploaded to YouTube. Parodies of the video were soon made (My Favorite). Anyway, the Church of Scientology steps in and claims copyright infringements and pressures YouTube to remove the video.

Once the video is removed, a group named “Anonymous” posts a video declaring cyberwar against the Church of Scientology because “campaigns of misinformation, your suppression of dissent and your litigious nature. All of these things have caught our eye. With the leakage of your latest propaganda video into mainstream circulation the extent of your malign influence over those who have come to trust you as leaders has been made clear to us. Anonymous has therefore decided that your organization should be destroyed.".

Anonymous has been successful in knocking out the Scientology website, they accomplished this using a Distributed Denial of Service Attack (DDoS). Linuxhaxor.net has a good article on how the attack is being performed and how to participate.

This is just the latest in a list of cyber attacks that will be written about in the history books. Cyberspace has no boundaries, allowing people to accomplish anything they want. Who makes the judgment call to say that the Church of Scientology is bad and should not be allowed to pull videos that shows them in a bad light, well in cyberspace anybody can and actually have the power to attack. Of course if you are claiming free speech then that means everybody has free speech even if you don’t like them.

Establishments need to recognize, once it’s out there it’s there and you just have to wait for it to pass (Gawker.com still has the video posted). Establishments should realize that tactics that work in the real world do not necessary translate to the cyber world.

Note: CyberWar, Frontline has done an excellent program on the history of cyberwar and what it means to America. I highly suggest watching it.

Software Assessment 2.0

Up to this point, we have logged all the file and registry changes, and sorted through these changes to determine that the changes made by installing the software is a low risk to our secure machine. The next step, Research the product. As I think about it, this actually should be the first step.

Vendor Documentation, read through the documentation in order to get an understanding of what the software does and how it does it. I usually look for technical details, such as the ports and protocols the software uses. Note read through the user agreement, I have seen many times where it says if you install this software it gives us the right to collect information on your system or this software will phone home every so often.

An example is from the Google Earth license:

The Software may communicate with Google servers from time to time to check for available updates to the Software, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, "Updates"). By installing the Software, you agree to automatically request and receive Updates.

Your security policy might state not to allow automatic updates, so you would not allow this software.

Also you need to know the type of data that the software processes and ensure that data is protected. For example if you are working with health care data and the software has an internal database, then you need to ensure the software protects according to HIPAA policy by encrypting the data and only allowing authorized access. Vendor documentation usually states the safeguards, if not contact someone at the company and ask them.

Next a vulnerability check, check the software for known vulnerabilities and issues through the use of online vulnerability databases. You can quickly search for information regarding the security of the product on the following sites:

- National Vulnerability Database: U.S. government repository of standards based vulnerability management data
- SecurityFocus: vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs
- milw0rm:site promotes open source security by posting exploits found in popular programs

By searching these sites will give you an understanding of the vulnerabilities and problems with the software, and usually mitigation techniques.

Example if we search the National Vulnerability Database for Google Earth we get (I really don't mean to pick on Google its just an easy example):

Which basically says by introducing a bad mapping file you can cause a buffer overflow in the application. Now we know buffer overflows are possible through mapping files, to mitigate the risk, we would enact policy to state that users can only connect to a specific mapping server (Google Earth server) or only to trusted servers. Vulnerability websites can be very useful for determining the amount of risk brought to the network and to the secure computer. If you can't find anything on those sites try Google.

Another useful site is The National Checklist Program which is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. The checklist program can give detailed guidance to securely install certain software. Based on experiences it always good to have a configuration/checklist for installing software, this is to ensure that whenever or wherever the software is installed it is always in the same configuration. Most of the time it will be up to the security professional to create this list however sometimes there is already a checklist developed that can be used.

Do your research, if you want to introduce new software to your secure configuration, then you need to ensure all the homework has been done. As I said above I would actually perform this step first, you might be able to rule out installing software just based on the vulnerabilities found. If everything turns out good, then I highly suggest having an configuration/checklist guide for the software. Happy researching.