MS Network Load Balancing – The Fine Print

Natty Light!

Microsoft’s NLB Clustering is kind of to High Availability Load Balancing what Natural Light is to the beer world. Both will basically get the job done, and on the cheap, but in the long run they might leave you with a wicked headache and wishing you spent a few extra dollars for a Sam Adams.

Continue reading

Case Study: Suspicious Network Traffic

In this post I describe a recent investigation of suspicious network traffic on an organization’s network. Although the traffic ended up not being malicious, the hope is that the basic investigation methodologies described may be helpful to those in similar situations. The tools used include Wireshark network monitor, select Sysinternals utilities, and those built into the Windows OS.

Continue reading

BGP Exploit

The usual security blogs are abuzz today with the news of the Border Gateway Protocol (BGP) vulnerability described at DEFCON 16. I won’t bother reposting all the details, but I’ve aggregated a few of the more informative links to information on the subject below. The potential to exploit BGP in this way has been talked about for at least the better part of a decade, but apparently never demonstrated until the DEFCON conference. The links have some decent technical info; it appears frighteningly simple for a person with the proper resources to hijack & intercept a remote network’s transmissions while mostly remaining undetected. Article

Original DEFCON Presentation

DHS Routing Security Initiative

And of course…. Wikipedia

Simple SOHO IDS with Snort & a DIY Network TAP

I run a few Internet facing resources at home, that are mostly protected or locked down in one form or another. However, I wanted to implement some form of Intrusion Detection System or basic monitoring that would let me know what was being accessed, when, and by who. I decided to go with Snort ( ) because it’s a proven technology that is fairly simple to set up with a little Linux know-how (there is also a Win32 distribution).

My biggest problem was how to ensure Snort could see all of the relevant traffic. I couldn’t just plug the machine running Snort into one of my switches, since I don’t have a switch that supports setting up a SPAN port. I could have used a hub, but didn’t want to introduce the potential for problems in my network related to collisions. A white paper on the Snort site mentioned using a network TAP. This seemed like a good idea, but the commercial ones cost way more than I was wanting to spend. I found a great DIY article here on making your own passive tap. Check the article for the details, all you need is a 4 port surface mount box, 4 keystone jacks, and a small length of Cat5 cable. I was able to put one together for less than $20.

The finished product has four interfaces: one interface for each host, and two monitoring interfaces. Each monitoring port monitors traffic received in one direction only. Because only the pins for receiving traffic are wired on the monitoring ports, your IDS station is completely invisible on the network, functioning only as a listening device. That’s one of the main benefits that attracted me to this solution. A separate NIC will need to be used for remote management of the IDS, unless you intend to do so exclusively from the console. I installed Snort on a machine running SUSE Enterprise 10, and connected it to the Tap which I plugged in on the WAN side of my router between it and my DSL modem (see below for a simple diagram), monitoring incoming traffic. This actually generates alerts on traffic that isn’t making it through my firewall, but it’s interesting to see what traffic is out there. The SQL Slammer worm is still very prevalent, and it’s amazing how much suspicious traffic is originating from China (or not). I also added a few custom rules specific to my environment. Later I may move the tap inside my firewall. I was a little worried about the effect it might have on my network, but bandwidth tests before and after were identical, and I’ve had zero packet loss after running this for several weeks.

This is a great way of monitoring your network. I certainly wouldn’t recommend using this setup in an enterprise or production environment, but it works well for situations like mine, or as a learning tool. In the future I may utilize more of Snort’s IPS features, as well as some sort of log watch automatic notifications.

Related Posts:

Snort IDS & BASE on Server Core 2008