Network issues and security problems can happen at any point, particularly when you are not prepared to respond appropriately and fast. To investigate these issues, you’ll need access to your network for 100% visibility of what is causing the problem. The issue may have been caused by an attack, so to find out what has happening in your network, you’ll need to perform some forensic network analysis.
Something that will really cause you a headache when you are doing network forensics is to run into any snags, such as packet-drops, or limited visibility that does not allow you to see certain types of packets. You must be able to see all your traffic to provide you with the 100% visibility you need to do a proper analysis of all the issues causing stress on your network.
If there is an attack, you will need to perform forensic analysis on your network, but where do you even start? How do you capture the information on a network line and what do you need to look for when analysing your network data? Not being prepared and across all of this can result in security breaches or other anomalies appearing in your network.
Forensic network analysis is not for the faint hearted, is incredibly complex and requires years of experience. You will need to be able to quickly detect problems in the network by searching for and analysing any anomalies you identify.
To be able to respond quickly, it is crucial to be able to view all the information about your network issue. Without that 100% visibility of what is happening over the network, you cannot correctly assess what the problem is.
Firstly, you need the right tools for the job, it’s a sophisticated and complex task to monitor and analyse packets, particularly when you are in the middle of a network crisis. A network TAP is a critical tool to have in your arsenal. It can help you dive right into your network, parse the traffic and identify the packets creating all the trouble right there and then.
This will enable you to stay one step ahead of security breaches or network problems and help you to understand the importance of every single packet for the security and performance of your organisation.
Minimising Security Breaches
A good network TAP will enable you to capture and analyse every single packet. If you can’t see every packet and you miss the critical packets, they could be the ones with the application layer problem identifiers or a network intruder’s signature.
Being able to see everything that passes through your network will help you to prevent and mitigate any security breaches from happening, such as DDoS attacks or other types of malicious breaches.
If you want your response to a security breach to be as effective as possible in less time, you need an accurate copy of your network traffic. Missing packets can result in unplanned downtime and wasted IT budget and resources.
Improving Network Performance
If you lose any packets, your network performance can be compromised. Depending on how complex your IT infrastructure is, the importance of capturing all the packets increases significantly. A network TAP can duplicate and deliver full-duplex traffic to the monitoring systems at line rate, with no impact on your network link. Additionally, it will capture any illegal packets a network device may discard.
You really want your security team to be able to detect a threat or a network performance issue in real time, so that they can find the cause as soon as possible. Therefore, the network analysers should be able to restore the network flow so that your security specialists can react faster to network issues.
Network Forensics Needs Accuracy
The fact is that the more complex your IT infrastructure is, hackers will have a greater chance of infiltrating your network.
Recently, the number of ransomware attacks have been increasing, including the NotPetya malware attack, that the Australian, United Kingdom and United States Governments have blamed on Russia. The Australian government condemned Russia’s behaviour, which it said, “posed grave risks to the global economy, to government operations and services, to businesses activity and the safety and welfare of individuals.”
With the damage bill in the region of $300 million for shipping giant Maersk and £100 million for Reckitt Benckiser, known for Dettol cleaning products, Nurofen tablets, and Durex condoms, the attack also halted chocolate production at Cadbury’s Tasmanian factory.
Ideally, a good networking monitoring and security monitoring solution will be connected to a number of taps deployed at critical points in the network. However, troubleshooting on a budget often means that these systems don’t exist or there is only more simpler flow based or SNMP tool available.
Once the traffic has been captured, good analysis tools will make a long job quicker. Wireshark is certainly a good start to analyse traffic as it is free to use but with that there are some inherent problems. What makes a great freeware tool does not necessarily make a good forensics tool. Some tools on the market don’t cost the earth.
Having a good analysis tool with a network TAP is the only way to accurately rebuild events that have happened on your network and be able to do detailed analysis of every single packet for a thorough network forensics to work out exactly what has occurred.
Also, having an aggregation TAP that can capture line rate at 1Gbps bi-directionally is also extremely powerful. A big problem with capturing TAP traffic to a standard network interface on a laptop is that the NIC often will drop packets above 400 or 500Mbps. Furthermore, having a TAP that can connect to a 10Gbps link and filter traffic to a laptop for troubleshooting can often save tens of thousands of dollars.
You need to be able to reconstruct actual network flows, but if there are packets missing in between, they cannot show the true picture of what is happening over your network. If you’re not able to see the true picture, then your entire investment in a network monitoring tool is futile!
The IOTA and ProfiShark 1G and 10G are portable fibre aggregation TAPs and trouble-shooters. Built on the successful FPGA-based design of the ProfiShark series, the IOTA and ProfiShark 1G and 10G network trouble-shooters provide visibility into 1G copper and fibre networks and 10G fibre optic networks, directly to a USB 3.0 connection via your standard laptop or desktop or in the case of the IOTA an internal 1TB hard-drive. With custom drivers they are able to capture line-rate traffic across 1Gbps links (2Gbps worth of aggregate traffic) and 5Gbps of traffic filtered from a 10G Link.
PlexNet is ProfiTap’s partner in Australia and can provide you with these devices as part of a very cost-effective network analysis solution.
See IOTA and ProfiShark from ProfiTap
See Remote Troubleshooting Blog Article
Capsa Enterprise from Colasoft is a portable network performance analysis and diagnostics tool which provides a powerful and comprehensive packet capture and analysis solution with an easy to use interface allowing both veteran and novice users the ability to protect and monitor networks in a critical business environment.
PlexNet is Colasoft’s partner in Australia and can provide you with this device as part of a very cost effective network analysis solution. At only $1,375 incl. GST it is a great tool for the network or security engineer.