This article was originally published in the Internet Security Focus e-newsletter.
There are numerous ways to monitor your network and protect it from Internet intrusions. For instance, companies commonly use a firewall for network protection. Although firewall logs often provide a lot of information regarding intrusion attempts, sometimes they contain too much data to sort through when there's a problem you can't resolve quickly.
Some companies also use intrusion detection systems (IDSs) on border routers to monitor incoming traffic for patterns that indicate specific problems. But firewalls and intrusion detection systems are used primarily on borders with the Internet, rather than on internal networks. Also keep in mind that it's difficult to monitor network address translation (NAT) entries through a firewall.
A company's Internet access problems might not have anything to do with the Internet. Recent history shows that Internet worms that manage to wriggle their way into internal networks can cause havoc. Worms that infect internal systems behind a firewall may be difficult to isolate, yet isolating worms quickly can mean the difference between a problem and a disaster.
I once dealt with a client who was experiencing a network problem. I was told that the client had poor Internet speed and that initial efforts to fix the problem were futile. The network engineers were looking for a problem in the wrong place; the firewall and IDS weren't programmed to monitor internal network traffic. It took some time to determine that an internal network was passing a lot of traffic and causing the problem.
The engineers connected a network analyzer to the problem network. Although the analyzer showed that a great deal of traffic was coming from a number of internal servers, this wasn't considered abnormal. Detailed analysis didn't seem necessary because the engineers thought it was a physical network problem.
After replacing some wiring, NICs, and a switch, the problem persisted; that's when they asked for my input. Since the client's border router was a Cisco router, I decided to start my investigation there and proceed into the network.
It didn't surprise me to see a lot of outbound bandwidth on the router, but I still didn't have a clear picture of what the traffic was or where it was going. This is where Cisco's NetFlow came to the rescue.
NetFlow measures traffic on routers and switches. It was designed to provide statistics on data for billing purposes and traffic analysis. Whereas SNMP is primarily a network management protocol, NetFlow gives information at a more granular level and includes details on the source, destination, and service port of packets.
These additional details allow you to use NetFlow information to take "snapshots" of traffic at the router level, whether it's entering or leaving a network. Therefore, you can use NetFlow to detect port-scanning activity, which is common with Internet worms, from the router's console without buying other software. Of course, your Cisco Internetwork Operating System (IOS) needs to support NetFlow features, and you might need to upgrade your IOS to a current version to use it.
Here's how I discovered the problem in the scenario mentioned above: I used the command ip route-cache flow on the outbound Internet interface and on the router's fast Ethernet interface. I waited a few seconds and then entered the command show ip cache flow.
After perusing the output for a few screens, I found my answer: A machine using static NAT through the Check Point FireWall-1 system had the SQLSnake worm. I recognized that port 0599 is hexadecimal for port 1433, the service port for Microsoft SQL Server and the one used by SQLSnake.
The firewall didn't inspect traffic for this internal Web and SQL Server because it was listed as a static NAT entry. No ports were blocked, and IP traffic was free to flow, resulting in a SQLSnake infection and its subsequent outbound scanning.
Although Cisco probably didn't have this use in mind originally, NetFlow is also useful for tracking down and fixing problems caused by Internet worms when the problem is difficult to isolate from a firewall or IDS. For more details about NetFlow, visit Cisco's Web site.