|
|
 |
|
NetIntercept® Case Studies
|
| |
|
Auditing For Security Breaches Via NetIntercept
Looking Into The Past
You are the IT manager for a 500-person organization. This morning at
0530, your found out your firewall was compromised -- your overnight
backup tech noticed a console log message indicating someone from
inside was using the root account on the firewall machine itself.
She called you, and you
had her pull the plug immediately. Now that you're on the scene,
normal network applications seem to be working, but just about
anything might have been cracked. You need to know how deep the intruder
got into your network and what damage they did. But even the firewall's
internal logs are unreliable, since the intruder had control of that
machine.
You Know How it Used to Go
Your network operations staffer shuts down the firewall and gets ready
for the barrage of complaints from your users. Your system administrators
and support people start checking logs on the servers and running
software consistency checks on four hundred and fifty-two desktop and
laptop PCs. If you're lucky, only a few internal systems were damaged,
and they'll be identified and shut down by the time the firewall is re-built
from scratch. But you probably won't go back online with any sense of
security.
Only the attackers know for sure how they broke in.
You'll have to gamble on locking the firewall down tighter, ensuring
that all the current security patches are installed, and making a
quick check on the Web for new vulnerability or exploit reports. If
it's an unpublished vulnerability, or your staff missed a trojan
application on an internal machine, you and the rest of your company
will have to go through it all again.
With NetIntercept, It's Much Easier
You've installed two NetIntercept systems, one outside the firewall
and one on your internal backbone. The external machine has
about seven days of saved traffic online, but you've kept an
offline archive going back sixty days. The internal machine sees
higher data rates, and so it only has about a day's traffic online,
and isn't archived. NI systems can't be compromised or even detected
on the monitored network -- their control interfaces are connected to
a private LAN, accessible only from your machine room -- so you can
trust them to have complete and reliable data.
You know you've contained the problem by shutting down the firewall.
As soon as you get in, you can quickly assess the damage by analyzing
the night's internal and external traffic. By the time your network
operations staffer gets in, you know the firewall was attacked from a
desktop machine, and that the attacker was controlling it via a
stealth connection masquerading as a Web session. As he starts to
rebuild the firewall, you expand your search. As your
systems administrators and IT support people arrive, you're looking at the email
message that went to a host in Poland at 0200, with a compressed
attachment containing, among other harvested user IDs and passwords,
the firewall's root account password. You get them started on changing
everyone's passwords, and keep on looking.
An hour later, you've got the whole picture: Three days ago, the
desktop machine's user downloaded a "new version" of a free
screensaver program. This seemingly-innocent application actually
contained an embedded trojan,
which sniffed the LAN for passwords and e-mailed the day's harvest out
every night. Yesterday, a member of your
staff used the firewall's root password in an unencrypted
FTP session, and this information went out in last night's payload.
Meanwhile, the desktop box would occasionally look up a certain hostname
in a foreign domain. Last night, the DNS query succeeded, and the trojan
application immediately opened a connection to the attacker's host --
allowing the attacker to relay information through the compromised internal
desktop machine, and strike at your systems from the "inside".
You can see that the attacker first tried out several of the captured
user-and-password pairs against the e-commerce server, and then probed
the internal firewall connecting to the Finance Department. Having no
immediate luck, he logged in to the main firewall and set about installing a
root kit. He had just about finished sanitizing the firewall's log
files when your tech noticed his activity and shut him down. You
spend a few minutes recording the evidence on a couple of CDs, and
then turn to other matters.
By the time your staff reports that all the internal passwords have
been changed and the firewall is ready to go, you've finished your
memo to the CEO and Legal, you've sent mail to your user community to
warn them about trojan programs, and you're scanning security-related sites
to see if that particular attack has been reported before. Your
organization is securely back online by lunchtime, and you're confident that
it will stay that way.
NetIntercept provided you with unambiguous and reliable data -- data
you could act upon. You knew what you needed to do and took no
unnecessary actions. And you didn't even have to eat lunch at your
desk...
|
Download the
demo
and discover: The Truth is on the Wire.
|
|
|
Sandstorm Home
Products
