Tech Tip: Use Cisco's NetFlow technology to detect worms

By Jonathan Yarden

There are numerous ways to monitor your network and protect it from Internet intrusions. Companies commonly use a firewall for network protection. Although firewall logs often provide a lot of information regarding intrusion attempts, sometimes it's too much information to sort through when there's a problem you can't resolve quickly.

Some companies also use intrusion detection systems (IDSs) on border routers to monitor incoming traffic for patterns that indicate specific problems. But firewalls and IDSs are used primarily on borders with the Internet, rather than on internal networks. Also keep in mind that it's difficult to monitor network address translation (NAT) entries through a firewall.

A company's Internet access problems might not have anything to do with the Internet. Recent history shows that Internet worms that manage to wriggle their way into internal networks can cause havoc. Worms that infect internal systems behind a firewall may be difficult to isolate, yet isolating worms quickly is the difference between a problem and a disaster.

I once dealt with a client who was experiencing a network problem. I was told that the client had poor Internet speed and that initial efforts to fix the problem were futile. The network engineers were looking for a problem in the wrong place; the firewall and IDS weren't programmed to monitor internal network traffic. It took some time to determine that an internal network was passing a lot of traffic.

The engineers connected a network analyzer to the problem network. Although the analyzer showed that a great deal of traffic was coming from a number of internal servers, this wasn't considered abnormal. Detailed analysis didn't seem necessary because the engineers thought it was a physical network problem.

After replacing some wiring, NICs, and a switch, the problem persisted; that's when they asked for my input. Since the client's border router was a Cisco router, I decided to start my investigation there and proceed into the network.

It didn't surprise me to see a lot of outbound bandwidth on the router, but I still didn't have a clear picture of what the traffic was or where it was going. This is where Cisco's NetFlow came to the rescue.

NetFlow measures traffic on routers and switches. It was designed to provide statistics on data and for billing purposes and traffic analysis. Whereas SNMP is primarily a network management protocol, NetFlow gives information at a more granular level and includes details on the source, destination, and service port.

These additional details allow you to use NetFlow information to take "snapshots" of traffic at the router level, whether it's entering or leaving a network. Therefore, you can use NetFlow to detect port-scanning activity, which is common with Internet worms, from the router's console without buying other software. Of course, your Cisco Internetwork Operating System (IOS) needs to support NetFlow features, and you might need to upgrade your IOS to a current version.

Here's how I discovered the problem: I used the command ip route-cache flow on the outbound Internet interface and on the router's fast Ethernet interface. I waited a few seconds and then entered the command show ip cache flow.

After perusing the output for a few screens, there was my answer: A machine using static network address translation through the Check Point FireWall-1 system had the SQLSnake worm. Port 0599 is hexadecimal for port 1433, the service port for Microsoft SQL Server.

The firewall didn't inspect traffic for this internal Web and SQL Server because it was listed as a static NAT entry. No ports were blocked, and IP traffic was free to flow, resulting in a SQLSnake infection and subsequent outbound scanning.

Although Cisco probably didn't have this use in mind originally, NetFlow is also useful for tracking down and fixing problems caused by Internet worms when the problem is difficult to isolate.

For more details about NetFlow, visit Cisco's Web site.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks