Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Transcription

1 Demystifying the Myth of Passive Network Discovery and Monitoring Systems Ofir Arkin Chief Technology Officer Insightix

2 Copyright All Rights Reserved. This material is proprietary of Insightix. Any unauthorized reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This material is meant solely for the use by Insightix employees, and authorized Insightix customers. About Insightix Insightix is an innovator of real-time security intelligence and control solutions. Insightix patentpending technologies are used to detect, identify, profile, audit and control ALL devices connected to your network, providing real-time network, endpoint and user intelligence. Insightix discovers an additional 20%- 50% of the devices residing on the enterprise network, devices that otherwise remain undetected, and automatically audits for the security configuration of endpoints based on the asset classification information collected. The Insightix Business Security Assurance (BSA) solution suite provides a 360 view into the actual state of your network security effectively Bridging the Network Security Gap that exists between the actual security state of enterprise networks and what is known to IT. For more information, please visit ii Demystifying the Myth of Passive Network Discovery and Monitoring Systems

3 Contents Abstract Introduction Passive Network Discovery - a Brief Introduction Strengths of Passive Network Discovery Real-Time Operation Zero Performance Impact Data Processing Detection of Active Network Elements & Their Properties Detection of Elements behind "Network Obstacles" Granular Network Utilization Information Network Utilization Abnormality Detection Detection of NAT-Enabled devices Weaknesses of Passive Network Discovery Obvious Weaknesses What You See Is All You Get Quality and Relevancy of Network Traffic Observed No Control over the Pace of the Discovery Limited IP Address Space Coverage Not Everything Can Be Passively Determined Incomplete and Partial Network Topology Deployment Location Network Utilization Related Issues Limited Service Monitoring Less-Known but More Significant Weaknesses Inability to Resist Decoy and Deception Denial of Service & Remote Code Execution Demystifying the Myth of Passive Network Discovery and Monitoring Systems iii

4 5 Conclusion References iv Demystifying the Myth of Passive Network Discovery and Monitoring Systems

5 Abstract This paper sheds light on the weaknesses of passive network discovery and monitoring systems. It starts by defining passive network discovery, and goes over the advantages and disadvantages of the technology. It then demonstrates why passive network discovery cannot live up to its expectation, and is unable to deliver the promise of complete, accurate and granular network discovery and monitoring. Demystifying the Myth of Passive Network Discovery and Monitoring Systems 1

6 1 Introduction Important questions, such as "What is on the enterprise network?", "Who is on the enterprise network?", and "What is being done on the enterprise network?" have triggered attempts by many researchers to find an appropriate network discovery technology, which would not only allow accurately answer these questions and in a complete and granular fashion, but would also allow for the real-time maintenance of this information. In recent years, a number of commercial companies have hyped a new technological solution for network discovery called passive network discovery. This paper sheds light on the weaknesses of passive network discovery and monitoring systems. It starts by defining passive network discovery, and goes over the advantages and disadvantages of the technology. It then demonstrates why passive network discovery cannot live up to its expectation, and is unable to deliver the promise of complete, accurate and granular network discovery and monitoring. 2 Demystifying the Myth of Passive Network Discovery and Monitoring Systems

7 2 Passive Network Discovery - a Brief Introduction Passive network discovery and monitoring is a technology that processes captured packets from a monitored network in order to gather information about the network, its active elements, and their properties. It is usually installed at a network choke point. Passive network discovery and monitoring relies on user and network activities in order to draw conclusions about the network, its active elements and their properties. The roots of passive network discovery and monitoring technology go back to the mid-1990s where references regarding the usage of the technology can be found 1. Information collected using a passive network discovery and monitoring system may include the following: Active network elements and their properties (i.e. underlying operating system) Active network services and their versions The distances between active network elements and the monitoring point on the network Active client-based software and their versions Network utilization information Vulnerabilities found for network elements residing on the monitored network The information collected by a passive network discovery and monitoring system might be used for the following purposes: Building the layer 3-based topology of a monitored network Auditing Providing network utilization information Performing network forensics Performing vulnerability discovery Creating a context for the network operation Feeding information collected from a monitored network into other security and/or network management systems to enhance their operation by providing some context regarding the network they operate in (information about the network, the active elements found on the network, and their properties) 1 Vern Paxson, Automated Packet Trace Analysis of TCP Implementations, Demystifying the Myth of Passive Network Discovery and Monitoring Systems 3

8 3 Strengths of Passive Network Discovery Passive network discovery and monitoring systems offer important advantages, which stem from how they operate. This section outlines these advantages. 3.1 Real-Time Operation A passive network discovery and monitoring system operates in real-time, processing received network traffic and providing relevant information. Unlike non-passive-based systems, this allows a passive network discovery and monitoring system to detect network-related activities as they occur. 3.2 Zero Performance Impact The use of a passive network discovery and monitoring system has zero impact on the performance of the monitored network. 2 This is due to the fact that the monitored network s traffic is copied and fed into the passive network discovery and monitoring system. The operation of a passive network discovery and monitoring system does not involve actively querying elements residing on the monitored network in order to harvest information about them, the network, and/or about other elements. Due to the fact that a passive network discovery and monitoring system does not send any packets to the network, and does not pose a risk to the stability of a monitored network, it can theoretically be installed on any network. 3.3 Data Processing Passive network discovery and monitoring systems have the ability to gather information from all TCP/IP layers of network traffic processed. Information can be gathered not only from the physical, network, and transport layers, but also from the application layer if the latter is not encrypted. 3.4 Detection of Active Network Elements & Their Properties A passive network discovery and monitoring system can detect network elements, and some of their properties, based on network activity related to the network element, provided that it receives network traffic associated with the network element and its properties. 2 Note: It is important not to overload a network device s backplane in case port mirroring is in used. If the network device s backplane is overloaded, then the monitored network will suffer from performance degradation. Another side effect would be the inability of the network device to send all of the network traffic that passes through the device, and needs to be monitored, to the network discovery and monitoring system. 4 Demystifying the Myth of Passive Network Discovery and Monitoring Systems

9 The ability to detect network elements and some of their properties based on the observed network traffic enables a passive network discovery system to: Detect active network elements that transmit and/or receive data over the monitored network Detect network elements as they become active and transmit and/or receive data over the monitored network The ability to detect active network elements based on their network activity allows passive network discovery and monitoring systems to: Detect network elements that have low uptime Detect network elements that may transmit and/or receive data for short time periods only A passive network discovery and monitoring system can detect certain properties related to the monitored network and its elements. For example, it can: Detect on which network elements, residing on the monitored network, active network services are operational and serving requests coming from network elements on other networks Detect active network services running on non-default ports Detect active client-based network software operating on network elements located on the monitored network 3.5 Detection of Elements behind "Network Obstacles" A passive network discovery and monitoring system can detect active network elements that operate behind "network obstacles" and send and/or receive network traffic over the monitored network. A "network obstacle" is defined as a network element that connects multiple networking elements to a network, and filters traffic from that network to these network elements, which are hidden behind it. Examples of network obstacles include network firewalls, NAT devices, and load balancers. 3.6 Granular Network Utilization Information A passive network discovery and monitoring solution is able to provide information regarding the network utilization of a monitored network link. Unlike active network-monitoring solutions, which provide only basic network utilization information regarding the utilization of a monitored communication link (i.e., the amount of traffic observed over a certain amount of time) through the Demystifying the Myth of Passive Network Discovery and Monitoring Systems 5

10 usage of SNMP 3, a passive network discovery and monitoring system provides network utilization information by observing actual network traffic. A passive network discovery and monitoring system can provide more granular and detailed network utilization information than active network-monitoring solutions. Examples of granular network utilization information, which can only be provided by a passive network monitoring solution, include (but are not limited to) network utilization information per network service, per network element, and per session. 3.7 Network Utilization Abnormality Detection The ability to provide statistical information regarding network utilization information, per network element, per network service, and the ability to gather information from all TCP/IP layers, enables a passive network discovery and monitoring solution to build usage profiles for any network element using the network and for any network service used over the monitored network. These usage profiles can later be used to detect network-related usage abnormalities. 3.8 Detection of NAT-Enabled devices A passive network discovery and monitoring system may be able to discover network address translation (NAT) enabled devices, which operate on the monitored network, and to estimate the number of network devices that may be hiding behind them 4. 3 For more information on active network-monitoring tools please refer to the following: The Multi Router Traffic Grapher (MRTG), at 4 Steven M. Bellovin, A Technique for Counting NATed Hosts, Demystifying the Myth of Passive Network Discovery and Monitoring Systems

11 4 Weaknesses of Passive Network Discovery Despite its important advantages, passive network discovery and monitoring systems face a number of critical weaknesses, which affect their discovery and monitoring capabilities. This section demonstrates why passive network discovery cannot live up to its expectations, and is unable to deliver the promise of complete, accurate and granular network discovery and monitoring. 4.1 Obvious Weaknesses What You See Is All You Get By definition, a passive network discovery and monitoring system analyzes and draws conclusions about a monitored network, its elements and their properties, based on the network traffic observed at a monitoring location on the network. As a result, the operational limitations of passive network discovery and monitoring solutions include: A passive network discovery and monitoring solution cannot draw conclusions about an element and/or its properties if the related network traffic does not go through the monitoring point Information that needs to be collected by a passive network discovery and monitoring system may never be gathered due to a lack of network activity that discloses the information A passive network discovery and monitoring solution cannot detect idle (inactive) elements, services, and applications The discovery performed by a passive network discovery and monitoring system will be partial and incomplete, because it is unable, technologically, to detect all network assets and their respected properties A passive network discovery and monitoring system is blind when it comes to encrypted network traffic Quality and Relevancy of Network Traffic Observed A passive network discovery and monitoring system has no control over the type of information that passes through its monitoring point. Information that needs to be collected by a passive network discovery and monitoring system may never be gathered due to a lack of network activity to disclose the information. Therefore, granularity, which is an important aspect of any network discovery technology, cannot be achieved with passive network discovery and monitoring systems. Demystifying the Myth of Passive Network Discovery and Monitoring Systems 7

12 4.1.3 No Control over the Pace of the Discovery A passive network discovery and monitoring system has no control over the pace of the discovery because it does not control the type of information that passes through its monitoring point and its initiation Limited IP Address Space Coverage Lacking control over the type of information that passes through its monitoring point, a passive network discovery system can cover only a limited IP address space. Some networks and some network elements may never send their traffic through a monitoring point therefore their existence will not be uncovered by a passive network discovery and monitoring system. As a passive system, a passive network discovery and monitoring system cannot query a network looking for additional network elements Not Everything Can Be Passively Determined In some cases information cannot be unveiled using passive network discovery. Passive vulnerability discovery is a good example not all vulnerabilities can be determined passively. For example, the vulnerabilities abused by the Code Red 5 worm, the Blaster 6 worm, the Sasser 7 worm, and so on Incomplete and Partial Network Topology A passive network discovery and monitoring system gathers network topology information based on the distances discovered between network elements and the monitoring point on the network. This is done by relying on the time-to-live field value in the IP header of observed network traffic. The timeto-live field value is to be decremented from its default value by each routing enabled device, which processes the IP header of the packet on its way from the sender to its destination. Some passive network discovery and monitoring systems first determine the underlying operating system of a certain network element before relying on the time-to-live field value found with network traffic initiated by this network element. The network topology information provided by a passive network discovery and monitoring system relates only to layer 3-based information, i.e., route-based information. A passive network discovery 5 Microsoft Security Bulletin MS01-44, 15 August 2001 Cumulative Patch for IIS, August 15 th, Microsoft Security Bulletin MS03-39, Buffer Overrun In RPCSS Service Could Allow Code Execution (824146), September 10 th, Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732), April 13 th, Demystifying the Myth of Passive Network Discovery and Monitoring Systems

13 system cannot detect the physical network topology (i.e., switch connectivity) of the network it is monitoring due to several key reasons: It cannot detect the network switches that operate on the network. Usually a network switch does not generate network traffic other than the spanning tree protocol packets targeting its adjunct switches A passive network discovery and monitoring system cannot query switches for their CAM tables, detecting which network element (or elements) is connected to which switch port, because it is a passive only system A passive network discovery and monitoring system supplies an incomplete and inaccurate network topology map for the following additional reasons: It cannot uncover routing that is not performed through its monitoring point It cannot detect other routers operating on the monitored network It is unable to uncover all of the network elements operating on the monitored network Deployment Location The deployment location of a passive network discovery and monitoring solution determines the network traffic s quality of the data it receives. The quality of network traffic data, relevant to the information collection process, is maximized when the deployment location of a passive network discovery and monitoring system is as close as possible to the access layer (i.e., between layer 2 and layer 3). If layer 2-based traffic of a monitored network is not to be observed by a passive network discovery and monitoring system, the result is less reliable and incomplete information regarding the monitored network, its elements and their properties Network Utilization Related Issues A number of issues related to network utilization are associated with passive network discovery and monitoring systems: Although it is able to passively receive network traffic from multiple monitoring points, a passive network discovery and monitoring solution is unable to supply with "per link" utilization information A passive network discovery and monitoring system cannot uncover communications between network elements connected to the same switch Limited Service Monitoring A passive network discovery system cannot monitor network services. This is because: It cannot monitor service condition state transitions It is unable to uncover idle services, and so on Demystifying the Myth of Passive Network Discovery and Monitoring Systems 9

14 4.2 Less-Known but More Significant Weaknesses Inability to Resist Decoy and Deception A passive network discovery and monitoring system analyzes and draws conclusions about a monitored network, its elements and their properties based on network traffic observed at a monitoring location on the network. Although a passive network discovery and monitoring system may have some conflict resolution policies, depending on a number of parameters, it may be possible to trick the system into drawing erroneous conclusions about the network, its elements and their properties, by poisoning the observed network traffic. A passive network discovery and monitoring system can be tricked because it is unable to validate the information collected from a monitored network. The location of a passive network discovery and monitoring system and its distance from a monitored network determine the level of confidence in the results it will produce. Influencing the accuracy of a passive network discovery and monitoring system can influence other systems, which rely on the data collected by the passive network discovery and monitoring system as their input. A good example would be the passive network discovery and monitoring systems that are used to accompany other products, such as network intrusion detection systems (NIDS), network intrusion prevention systems (NIPS). Influencing the passive network discovery and monitoring system into making wrong conclusions about the network, its elements and their properties, would result in inaccurate (and incomplete) information being fed into another system, affecting its operation and the conclusions it makes about the network, its elements, and their properties Example I: Changing Location Information Under certain conditions, a network discovery and monitoring system can be tricked into concluding that a specific network element is located closer to or further from a monitoring location simply by changing the default time-to-live field value in the IP header. For example, a Microsoft Windows 2000-based networking element has the default time-to-live field value set to 128. By changing the default value to the value of 126, a passive network discovery and monitoring system would still identify the network s element underlying operating system as Windows. It would then trust the timeto-live field value information contained with the IP header of examined packets of this network element, placing it two hops further away from the monitoring point. 10 Demystifying the Myth of Passive Network Discovery and Monitoring Systems

15 Figure 1Figure 1 and Figure 2 illustrate this weakness. Figure 1: Actual Network Topology Figure 2: Topology Drawn by a Passive Network Discovery System Demystifying the Myth of Passive Network Discovery and Monitoring Systems 11

16 Example II: Influencing Network Traffic Utilization Information A network element may influence network traffic utilization information reported by a passive network discovery and monitoring system. This can be performed by injecting bogus traffic into the network, which would pass through the monitoring location used by the passive network discovery and monitoring system to observe network traffic. There are many different factors that prevent a passive network discovery and monitoring system from resisting these and other types (more and less sophisticated) of network traffic poisoning. The inability of passive network discovery and monitoring systems to validate collected information is one such key factor Denial of Service & Remote Code Execution Numerous examples exist for the ability to either crash or even take control of passive network discovery and monitoring systems, taking advantage of the need of these systems to decode packets passively received. Denial of service examples include: Snort TCP/IP Options Bug Lets Remote Users Deny Service, Marcin Zgorecki, post to Snortdevel mailing list, October 2004 Unknown vulnerability in the Gnutella dissector in Ethereal through allows remote attackers to cause a denial of service (application crash), CAN , Remote code execution examples include: Buffer overflow in the X11 dissector in Ethereal through allows remote attackers to execute arbitrary code via a crafted packet, CAN , Ethereal SIP Dissector Overflow, May 8 th, Demystifying the Myth of Passive Network Discovery and Monitoring Systems

17 5 Conclusion This paper has examined the strengths and weaknesses of passive network discovery and monitoring technology. It has demonstrated that despite the strong advantages of the passive network discovery and monitoring technology, it cannot, under any circumstances, perform complete, accurate, and granular network discovery and monitoring due to its technological limitations, which are directly related to the passive nature of the technology. Demystifying the Myth of Passive Network Discovery and Monitoring Systems 13

18 6 References [1] Vern Paxson, Automated Packet Trace Analysis of TCP Implementations, 1997 [2] The Multi Router Traffic Grapher (MRTG), at: [3] Steven M. Bellovin, A Technique for Counting NATed Hosts, [4] Microsoft Security Bulletin MS01-44, 15 August 2001 Cumulative Patch for IIS, August 15 th, [5] Microsoft Security Bulletin MS03-39, Buffer Overrun In RPCSS Service Could Allow Code Execution (824146), September 10 th, [6] Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732), April 13 th, [7] Snort TCP/IP Options Bug Lets Remote Users Deny Service, Marcin Zgorecki, post to Snortdevel mailing list, October [8] Unknown vulnerability in the Gnutella dissector in Ethereal through allows remote attackers to cause a denial of service (application crash), CAN , [9] Buffer overflow in the X11 dissector in Ethereal through allows remote attackers to execute arbitrary code via a crafted packet, CAN , [10] Ethereal SIP Dissector Overflow, May 8 th, Demystifying the Myth of Passive Network Discovery and Monitoring Systems