Archive for March, 2008


Intrusion Detection Systems

March 30, 2008

As a first line of defense for your network security, the implementation of an intrusion detection system greatly enhances the security of your network. An intrusion detection system can monitor your network and host systems for suspicious behavior that can indicate if someone is trying to break in or damage your system. By proactively monitoring the system, the detection system can immediately notify an administrator via paging or e-mail of the intrusion. Some detection systems can self-repair the problem and either disconnect suspicious network connections or turn off network services that are being attacked.

Two main types of intrusion detection systems exist:

Network-Based: A network-based system analyzes network traffic going in and out of your network. It can detect suspicious behavior that can indicate unauthorized access or network attacks against network hosts.

Host-Based: A host-based system protects one specific host or device. By analyzing incoming and outgoing network activity, and logging user logins and access, it can detect any possible attempts to compromise security.

Intrusion Detection Systems can be either active or passive. In an active detection system, intrusion attempts are dealt with immediately, by shutting down network connections or services that are being attacked. A passive detection system relies on notification to alert administrators of an intrusion.

A Network Intrusion Detection System (NIDS) typically consists of the following components:

Detector Agent: The detection agents of an intrusion detection system usually are physically installed in a network and are attached to core network devices, such as routers, firewalls, and switches. Detection agents can also be software agents that use network management protocols, such as Simple Network Management Protocol (SNMP). They simply collect the data passing through the network and send it on to the network monitor for analyzing.

Monitor: The network monitor is fed information from the detection units and analyzes the network activity for suspicious behavior. This is the heart of of the intrusion detection system, which collects information from the network, analyzes it, and then uses the notification system to warn of any problems.

Notification System: The notification system is used for notification and alarms, which are sent to the administrator. Once the network monitor recognizes a threat, it writes to a log file and uses the notification system to send an alert, such as an e-mail or a page, to the administrator. The notification system is usually configurable, to allow for a variety of methods of communication.

To protect the entire network, an intrusion detection system is usually located at a central point, such as a main router, switch or firewall system. A detection system can only monitor what it sees, so placing it further down in the system lessens the chance of finding intrusions, especially because your firewall and routers are the entry points to the network.


MAC Addresses

March 29, 2008

Every network card has a built-in, unique ID, known as its Media Access Control (Mac) address. This address is fundamental to the operation of all mainstream networking technologies, as it’s the one address that can uniquely identify a specific card – and thus a specific computer or other device – on the network. There are other addressing schemes that are put in place when you’re setting up a practical network, but these addressing schemes are not the ones used to pump data around a network; that’s the job of the Mac address. In general, it’s not necessary to worry about the Mac address of your NIC during installation and setup, because the software parts of your setup that do need to know can easily find it out by asking the NIC. It’s worth knowing, however, that the Mac address exists because some configuration and diagnostic tools will display it, and that it can also be used for network security. Network operating systems such as Microsoft Windows NT and Novell NetWare allow you to restrict the locations from which a user can log in by specifying the Mac addresses of the relevant workstations.

In their raw form, Mac addresses are 48-bit binary numbers that look like this: 000000001110000010011000000000010000100100001110

To make these numbers easier to read and document, they are usually written in hexadecimal (base 16) format, which looks like this:

00 E0 98 01 09 0E

Being 48 bits long allows for a possible 281,474,976,710,656 (or 2 to the 48th power) Mac addresses.

Because the pool of possible Mac addresses is so large, the IEEE has been tasked with ensuring that no two NIC cards ever share the same Mac address. To achieve this, NIC manufacturers are assigned one or more start addresses – the top 24 bits of the Mac address, which IEEE calls the Organizationally Unique Identifier (OUI) and the manufacturer then uses the remaining 24 bits to give each card it produces a truly unique address.

How do you find out the Mac address of your network card? Open a Command Prompt (“cmd” under the Run command – Windows Key+R), and type ipconfig/all. The Mac address will be listed as the Physical Address, in hexadecimal format.

Important Note: If you change the NIC card in your computer, you effectively change your computer’s Mac address.


How Software Firewalls Protect Your PC from Attacks

March 28, 2008

Software firewalls all operate using a similar methodology. All data routed in and out of your PC is done using ports. The firewall is configured to monitor these ports and only allow traffic on those that are specifically enabled to do so, while blocking all other traffic. When a remote computer attempts to connect to your computer on a port that the firewall has blocked, the connection is prevented. Most software firewalls have no ports open by default, blocking all of them. This protects your computer from attacks because even if you computer may be vulnerable to a specific security hole, a remote computer trying to infect you cannot connect to it in the first place.

Obviously, blocking every port on your system at all times is quite impractical. Completely closing off all traffic into your system would cause problems for any applications on your system that makes use of a LAN or the Internet, including Web browsers, instant messaging applications, or online computer games. Consequently, it is possible to open up ports to allow required network traffic into your computer. Most firewalls allow you to specifically set permissions for allowing specific programs to use specific ports while denying all others. However, whenever you open up a port, both good and bad traffic can get through.

To fight the problem, most modern firewalls have a feature called Packet Inspection. Packet inspection looks at the packets that it lets through for known vulnerabilities. This is a good feature to have, because it helps protect you even when you open up some holes in your firewall by opening up ports. Currently, the firewall that comes with Windows XP does not support this feature.

Most third-party software firewalls not only inspect incoming network traffic, but also outgoing data. This is an important feature, because there are any number of ways for a virus or Trojan to infect your system and then send data out to the Internet from your PC. Firewalls that monitor outgoing traffic stop any unknown transmissions from leaving your PC until you specifically allow them to go through.

When you are configuring your software firewall’s settings,  keep in mind that the best policy is to block everything. Only open the ports you absolutely need.


Using the nslookup Command to Troubleshoot Name Resolution Issues

March 27, 2008

The nslookup command is yet another simple one available with all TCP/IP implementations.  Its purpose is to query a DNS name server to find out the name registration information for a particular host. By using nslookup, you can find out whether the address that is associated with the computer’s hostname is accurate. This can be handy for troubleshooting if you are trying to use one of the TCP/IP utilities, such as FTP or Telnet, to reach a particular host by name, yet find that you cannot establish a connection or that the remote system is not the one you thought it would be.

This utility can be run in two different modes. First, you can specify all the commands on a command line and get a result returned from a DNS name server (noninteractive mode). Second, you can enter “batch” mode (called interactive mode by Microsoft) and issue several commands in a row to the server. The basic syntax for the command in Windows operating systems is: nslookup [ -option …] [computer-to-find | – server]]

 Options you can use with this command are:

Computer-to-find: Specifies the name of the computer whose name you want to look up.
Server: Specifies a DNS name server other than the default server configured on the client.

For example:

C:> nslookup

This command sends an inquiry to the default DNS server. If information is received, it will print the name of the server that the information is from and then print the IP address of the server you inquired about. For example:

C:> nslookup

Non-authoritative answer:

In this example, you can also see that the server that gave the response indicates that it is a non-authoritative answer. This means that the server is not the server that actually holds the domain name record for this domain, but has cached the name locally. The record for the domain is located elsewhere in the DNS hierarchy.

The nslookup command also enables you to enter several options on the command line or to use these features from within the interactive environment. When it’s used on the command line, precede each option with a minus (-) sign. The options and values that can be used with Windows NT through Windows 2003 Servers are listed here:

Help: Displays help text.
Exit: Exits nslookup when interactive mode.
Finger [username] [> filename] [>> filename]: Connects to the current finger server and looks up a username. You can specify a filename for the output.
ls [option] dnsdomain [> filename]  |  [>> filename]: Lists information about a domain. Generally, this includes computer names and addresses. Suboptions to this command allow you to get other information.
lserver dnsdomain: Uses the initial server to retrieve information about dnsdomain.
root: Sets the current default server to be the root server.
Server dnsdomain: Uses the current server to retrieve information about dnsdomain.
set keyword=[value]: Changes configuration settings about how nslookup works.
set all: Displays current configuration settings for the nslookup utility and shows information about the default server.

There are many set commands you can use to customize the way nslookup works. Using nslookup in interactive mode enables you to perform multiple hostname lookups without having to retype the nslookup command. Use the exit command to exit interactive mode.