You can use a number of techniques to identify malicious users. In this video, you’ll learn about trusted and untrusted users, packet analysis, and banner grabbing.
<< Previous: Troubleshooting ICMP and ARPNext: Troubleshooting Authentication Issues >>
Whenever you’re trying to find malicious traffic on your network it’s useful to know where the traffic is originating from. Is it coming from a trusted user or an untrusted user? There’s many different ways to categorize these. Some environments decide that everybody is an untrusted user and use all of the normal security features across everyone. In some environments you might consider people within a particular building as being trusted. Or you might consider that any inside-the-company traffic is going to be trusted and any traffic coming from the outside would be considered untrusted.
Sometimes the level of trust is determined based on geography. If someone is inside of your physical building, they’ll be considered trusted traffic. If the traffic is coming from outside the building, even if it’s coming from an employee through a VPN connection, you may want to consider that traffic untrusted.
This differentiation between a trusted user and an untrusted user becomes very important when you start setting security policies and allowing access to network resources. If you have a server that has very important data on it, you may be setting up different policies to allow or disallow access to that data, depending on whether you are a trusted user or an untrusted user.
The bad guys are using packet analysis to see what they can find out about what’s happening on your network, and you can also use packet analysis to try to find malicious traffic. Performing a packet capture may be easy to do on your network, or it may be more challenging depending on the type of switches you’re using and your network infrastructure. You may need a physical tap to get into your network. Or your switches may support a port-mirroring function that can copy information and send it to a protocol analyzer.
If this is a wireless network, it’s very easy to gather the information because it’s flowing through the air. This is why in a coffee shop or another open network is a very good place for malicious users to sit down in one location and be able to gather a lot of valuable data. The malicious users may go one step further and try to determine what services might be running on a particular machine.
They can find a lot of information by grabbing the banner information being sent from those services. There’s a lot of detail that might be contained within a banner. They can find out the service name, version numbers, manufacturer information, and a lot of other details that are right inside that banner. And if you have all of this information, you can then do some research to see if there are any known vulnerabilities against that particular application running that particular version.
The idea is to give as little information as possible, and often your application can be configured to determine what information it provides in the banner. This is the banner capture that I did from my particular web server at ProfessorMesser.com, and you can see there’s very little information inside of this. In fact, the only thing that really points back to what is happening here is that it is running Nginx, which is a very popular web server.
Well, since this is www.ProfessorMesser.com, I think we can naturally assume there’s going to be a web server on the other side. But the only thing I’m really telling you is that it’s running Nginx and I’m not giving you any other information about this particular device.