WARNING: TECHIE ARTICLE TO FOLLOW

Network Visibility: What is really happening on your network?

I’ve recently been reading about several high profile companies being hacked, and am currently undergoing review after cleaning out a few script kiddies hiding in some old software that we had running on some systems here. In a lot of the articles that have read, I see no mention of such attacks being visible on network devices and the like. I will focus my attention on one of the utilities that I use on my own network : Snort.

I currently am using Snort (http://www.snort.org) and a couple of other home-grown systems to monitor my network. Now, before you go screaming and shouting about me just being hacked, and not knowing what was visible on my network — I know, I have no excuse, lol.

That aside, it reminded me as to the importance of knowing what is on all sides of our network. There will always be external threats — that is a given. The job of tools like Snort and the like are to alert (or block if you have them configured correctly) such exploits or attacks from entering (or leaving) our networks, and then telling us that we are being attacked, so we can respond appropriately.

The problem with a signature based solution like snort, is you have to know about the traffic BEFORE it hits your network. In my case, I learned a great deal about the traffic AFTER it hit my network, rendering Snort useless. There are many popular sites that detail and keep announcements up on exploits and some even offer sample code for TESTING YOUR OWN SYSTEMS (hacking somebody else’s computer without their permission is illegal, ya know?).

Now that I know about these kinds of attacks, I can configure Snort (or any other product that I would be using) to aggressively take care of such issues without me having to dig out and find hundreds of places where hackers have put files or code on my website.

What is really important, though, is that your Network has some sort of visibility to it, so that you can identify when your systems are being (or have been) hacked, and that you can do an analysis to find out how one set of hackers got in. By updating your network appliances, you will be preventing other hackers from getting in, and you will be able to SEE who all is trying.

I am by no means a security expert (yet). But I learn as I go and learn from the school of hard knocks. I’d be more than happy to hear from anyone that has helpful hints or suggestions into tools available (commercial or open source) — or even comments or suggestions about ways to monitor my networks.

Don’t be a stranger!

Y’all come back now. Ya’ hear?