Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Distributed firewall wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 PANEMOTO: Network Visualization of Security Situational Awareness Through Passive Analysis William Streilein, Kendra Kratkiewicz, Michael Sikorski, Keith Piwowarski, Seth Webster Massachusetts Institute of Technology, Lincoln Laboratory Abstract--To maintain effective security situational awareness, administrators require tools that present up-todate information on the state of the network in the form of ‘ata-glance’ displays, and that enable rapid assessment and investigation of relevant security concerns through drill-down analysis capability. In this paper, we present a passive network monitoring tool we have developed to address these important requirements, known as Panemoto (Passive Network Monitoring Tool). We show how Panemoto enumerates, describes, and characterizes all network components, including devices and connected networks, and delivers an accurate representation of the function of devices and logical connectivity of networks. We provide examples of Panemoto’s output in which the network information is presented in two distinct but related formats: as a clickable network diagram (through the use of NetViz, a commercially available graphical display environment) and as staticallylinked HTML pages, viewable in any standard web browser. Together, these presentation techniques enable a more complete understanding of the security situation of the network than each does individually. Index Terms—Computer network security, computer networks, local area networks, visualization I. INTRODUCTION Today’s security administrators face the difficult task of maintaining and protecting enterprise computer networks that are constantly changing and are under continuous attack from a growing number of sophisticated hackers. To maintain effective security situational awareness [1], administrators require tools that present up-to-date information on the state of the network in the form of ‘at-aglance’ displays, and that enable rapid assessment and investigation of relevant security concerns through drilldown analysis capability [2]. To address these important requirements, we have developed a passive network monitoring tool known as Panemoto (Passive Network Monitoring Tool). Panemoto avoids common pitfalls of active network mapping [3, 4], relying solely on passively captured network traffic to build Manuscript received March 8, 2007. This work is sponsored by the Department of Defense under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government. an annotated visual representation of a computer network. It enumerates, describes, and characterizes all network components, including devices and connected networks, and delivers an accurate representation of the function of devices and logical connectivity of networks. Panemoto presents the network information in two distinct, but related formats: as a clickable network diagram (through the use of NetViz [5], a commercially available graphical display environment) and as statically-linked HTML pages, viewable in any standard web browser. Together, these presentation techniques enable a more complete understanding of the security situation of the network than each does individually. The contributions of this paper are twofold. First, this paper presents a novel network visualization tool that provides both ‘at-a-glance’ displays and drill-down analysis capability. Second, the paper demonstrates that information sufficient to maintaining security situational awareness for a network can be discovered through passive methods. To the authors’ knowledge, Panemoto is the first tool of its kind to demonstrate these capabilities. Section II of this paper reviews current research into the uses of passive network monitoring for network visualization. Section III briefly summarizes Panemoto, discussing the goals behind the tool and the overall architecture of the implementation. Section IV presents screen shots of the current generation of the tool’s network visualizations, while section V argues for the use of passive network mapping and makes suggestions for follow-on work. II. BACKGROUND Many analysis and visualization tools are available to the network administrator and security analyst today. These tools range from outputting simple lists of hosts and attributes to providing more complicated, interactive displays of real-time connections. While many tools are active in nature, for example probing for the existence of devices and presence of applications, researchers are discovering the benefits of passive network monitoring as an alternate way to understand the current state of a network and to stay abreast of the associated security issues [6]. Ethereal [7], tcpdump [8], and Ntop [9] are popular choices for tasks such as packet breakout and simple statistical analysis. Ethereal and tcpdump provide network Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 To support the enumeration, description, and administrators the ability to view actual traffic through characterization of network devices and connectivity, header field break-out displays. User-defined traffic filters Panemoto’s analysis methodology focuses on three levels support basic analysis and understanding of traffic and flow of analysis: packet, session, and episodic. These analysis rates on their networks. Ethereal also provides session capabilities build upon common passive mapping reconstruction for individual sessions of interest. Ntop techniques, such as described in [6], with the addition of enumerates individual devices on the network, performs several novel identification algorithms [15]. operating system identification, and provides traffic rate characterization. Visualization of the original data and summary statistics through Ntop is supported through Table I HTML pages and dynamically-prepared pie charts. LIST OF PROTOCOLS ANALYZED BY PANEMOTO Some security tools enable administrators to enumerate devices on a network and to discern the operating systems and applications running on them. Active mapping tools PROTOCOL INFORMATION RETRIEVED such as NMAP [10], Cheops [11], and DSniff [12], as well ARP IP to Mac address mapping as passive tools such as p0f [13] and siphon [14], can BROWSER Microsoft network devices, provide operating system and application identification to servers, services, names the user. Presentation of the information discerned DHCP Network configuration: net/mask, typically takes the form of textual read-out with minimal or router IP, time server no graphical display. DNS DNS servers, remote domain It is our intention with Panemoto to bring together into a names single analysis tool the individual capabilities of device LPD, CUPS Printer identification enumeration, operating system and application NBNS, Machine names/IP addresses identification, and traffic rate characterization. While the NetBIOS tools mentioned above lack sophisticated information NETLOGON User/machine names visualization capability, we recognize the value of the RIPv1, RIPv2 Network connectivity, router IPs analysis and mapping techniques each has to offer. We SRVSVC Microsoft shares and services strive to incorporate similar capabilities into Panemoto offered while introducing our own enhanced capabilities for STP Switch identification (sender and complete visualization of the enterprise network. root switch) The goals of Panemoto are to: WHO Usernames/IP addresses • Develop a complete picture of the network under SNMP Interfaces, system description observation by enumerating all network IEEE 802.11 Wireless access points components and attached networks BGP4, OSPF, Internet routing,, AS mappings • Present both a graphical display of the network IEGRP state, supporting at-a-glance assessment, and a listHTTP HTTP server ID, client OS oriented enumeration of the network components for more in-depth investigation POP, IMAP, Mail server identification, mail • Use passive methods to gather information about SMTP path the network • Allow for introduction of supplemental network information and functionality extensions through a At the packet level, analysis uncovers information about plug-in architecture the network from individual packets. For example, an individual DHCP ACK packet can contain information about the local network number and mask, the default III. VISUALIZATION AND ANALYSIS gateway, DNS server, and, of course, the assigned IP METHODOLOGY address for the destination host. At this level, every packet seen by Panemoto can provide information for the emerging Underlying the goal of providing a complete visualization. Table I provides a list of the protocols that understanding of a computer network are three important Panemoto analyzes and what is learned from each. capabilities: At the session level, analysis gathers information from 1. enumeration of the network components reconstructed conversations between two machines. 2. description of the enumerated components in Information about relationships between machines can be terms of relevant TCP/IP attributes understood. Panemoto makes use of NetTracker, a tool 3. characterization of the enumerated components by developed at MIT-LL to reconstruct TCP, UDP, and ICMP quantifying network behavior and traffic rate sessions. Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 networks, hosts, routers, servers, switches, domains, Episodic analysis, which can span protocols and interfaces, connections, ASes, and any server and client sessions, provides a higher-level understanding of a applications that have been identified on hosts. network’s structure and behavior. This capability can be used to recognize network events that cannot be perceived within packet analysis or session analysis alone. For example, it is nearly impossible to detect the rebooting of a Windows machine in a single packet or session, but it can be seen through the recognition of a sequence of specific packets (e.g. three gratuitous ARPs). Event recognition lends a temporal context to the network data that can be very useful to an administrator wishing to understand a network beyond simply how it’s put together, and into how it behaves temporally. Episodic analysis also supports larger, time-domain descriptions of general network characteristics such as packet flows, amount of traffic sent, etc. This analysis permits characterization of server Fig. 2. Local network view, showing individual devices machines by connection rates, and network links by traffic rates. IV. VISUALIZING NETWORK STATE VIA NETVIZ AND HTML Panemoto produces its output in a format that can be imported and viewed by the NetViz visualization program. This interface presents a display of the connectivity of subnets and gateways learned via passive monitoring. An example of this display, shown in Fig. 1, illustrates the distinction made between local networks (green clouds) and remote networks (gray clouds). In this example, an intervening gateway provides connectivity for the network. Fig. 3. HTML table of devices on local network An important capability for network administrators is the ability to understand how connections flow through the network [16]. Panemoto analyzes all the TCP, UDP, and ICMP connections seen in the network traffic and produces a simple display using Graphiz [17] that shows source and destination nodes, port of connection, and number of connections made during the observation period. Fig. 1. Top-level connectivity view via NetViz Selecting and clicking through a network icon in NetViz brings the user to the local network view, shown in Fig. 2, where individual devices are presented. Selecting a device reveals a list-oriented description of that device. Devices are arranged on the screen according to their determined functions: routers are at the top, servers are at the bottom, and normal hosts are presented on either side of the blue network line. The at-a-glance information presented through the NetViz interface is also prepared in HTML table format, as in Fig. 3, where embedded links enable navigation around the data. Other tables presented in HTML format include Fig. 4. Connection map of hosts communicating Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 While a view such as that shown in Fig. 4 can become unwieldy if a large number of hosts are communicating, Panemoto also produces individual connection maps for each of the hosts seen, as in Fig. 5. In the connection diagram, individual connections are indicated by directed arrows from client to server and are color-coded according to the state of the port at the time of the connection: green means “open,” red means “closed,” and yellow means “restricted.” Using the individual connection diagrams drawn by Panemoto, it becomes a simple task to understand who is talking to whom and how frequently. In Fig. 5, host 200.1.101.16 has been seen making five (5) connections on UDP port 735 to host 200.1.101.15. This connection display is particularly useful Fig. 6. Visualization of changes through NetViz for tracking active open ports on machines to find unwanted servers. V. ACTIVE AND PASSIVE ANALYSIS Other researchers have compared and contrasted the relative merits of active and passive network mapping and analysis [18, 19, 20]. In general, the two techniques complement each other. Active analysis enables specific, on-demand polling of devices for vulnerable ports, but can miss information for which there are no specific probes. Passive analysis, on the other hand, is able to see any devices that are transmitting on the network and can provide a more accurate picture of the network in real time. However, passive analysis must wait for the devices to communicate and may never see traffic from some devices on a network in which traffic segmented, as in a switched environment. Passive analysis supports the detection of the other types Fig. 5. Individual host connection map for 200.1.101.16 of network problems that are difficult, if not impossible, for active systems to detect. For instance, because passive analysis tools are not forced to follow a scripted survey of the network components, they can recognize devices and A. Change Detection networks that aren’t supposed to be there. Passive analysis can be used to recognize hosts that have been By comparing current network state information to misconfigured with the incorrect IP network and mask previously stored information, Panemoto can detect settings. Traffic from these hosts is seen to contain invalid potentially anomalous changes to the network source IP addresses and inappropriate destination broadcast configuration. This capability can alert administrators to addresses. Passive analysis tools can also recognize when dynamic changes in the network environment. As seen in the network architecture is not operating efficiently, such as Fig. 6, Panemoto recognizes devices and networks that are when the wrong router has been configured on a host. In new, missing, or changed, and displays them in different this case, the presence of ICMP redirect messages indicates colors depending on their status: new devices are shown in a faulty configuration. These three examples describe blue, missing devices in grey, and changed devices in actual situations discovered on the authors’ network that yellow. A field on the left of the screen indicates what would not have been discovered through active scanning. about the object has changed. In this case, an operating Realizing that passive scanning may miss some devices system has changed from Windows 5.0 (2000) to Windows on the network, information supplemental to that gleaned 5.1 (XP). This visual illustration of changes provides a from the raw network data can be provided to Panemoto simple mechanism to convey changes in the network to the through a flat text file. In this way, network administrators user. can inform Panemoto of devices that for one reason or another aren’t seen in raw network data and thus aren’t part of Panemoto’s catalog of devices. Panemoto also supports a plug-in architecture that enables users and/or contributors Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 to add to its analysis capabilities at the packet, session, and LPD: Line Printer Daemon protocol, IETF RFC 1179 episodic levels. VI. CONCLUSIONS The future of passive analysis monitoring for network state visualization is promising. As networks become more dynamic, the need to stay on top of these changes in real time and to address immediate security needs presents a continuing challenge. We believe Panemoto addresses these concerns and will continue to do so with a flexible architecture supporting packet, session, and episodic analysis plug-ins. The information found by Panemoto is presented in a logical, informative, and actionable way that permits at-a-glance understanding of network state and drill-down investigation. An important area for future research is the integration of Panemoto with vulnerability assessment tools that automatically highlight specific weaknesses in an enterprise network’s defenses. Visualization of network information requires displaying multiple levels of information including the enumeration of devices and networks, description of how these devices operate and interact with each other, and characterization of these devices. These analyses enable assessment of the most important components on the network to protect. We believe Panemoto provides these capabilities. APPENDIX A Protocol Descriptions and References ARP: Address Resolution Protocol, IETF RFC 826 NBNS: NetBios Name Service, IETF RFC 1002 NetBIOS: Network Basic Input/Output System, http://www.netbiosguide.com NETLOGON: Microsoft Windows Logon Protocol, http://www.ethereal.com/docs/dfref/n/netlogon.html OSPF: Open Shortest Path First, IETF RFC 2328 POP: Post Office Protocol, IETF RFC 1939 RIPv1: Routing Information Protocol, IETF RFC 1058 RIPv2: Routing Information Protocol Version 2, IETF RFC 2453 SRVSVC: Server Service Remote Protocol, www.ethereal.com/docs/dfref/s/srvsvc.html SMTP: Simple Mail Transfer Protocol, IETF RFC 1123 SNMP: Simple Network Management Protocol, IETF RFC 1157 STP: Spanning Tree Protocol, IETF RFC 2674 WHO: www.ethereal.com/docs/dfref/w/who.html BGP-4: Border Gateway Protocol, IETF RFC 4271 BROWSER: Microsoft Windows Browser Protocol, CIFS/E Browser Protocol, Network Working Group INTERNET-DRAFT, P. Leach, and D. Naik, Microsoft, 1997 REFERENCES [1] R. Becker, S. Eick, and A. Wilks, “Visualizing Network Data,” IEEE Transactions on Visualization and Computer Graphics, 1(1), pp. 16-28, March 1995 [2] CUPS: Common Unix Printing System, http://www.cups.org J. Goodall, A. Ozok, W. Lutters, P. Rheingans, and A. Komlodi, “A user-centered approach to visualizing network traffic for intrusion detection,” CHI ’05 Extended Abstracts on Human Factors in Computing Systems, April 2-7, 2005, Portland, OR, USA DHCP: Dynamic Host Configuration Protocol, IETF RFC 2131 [3] J. Kuntzelman, “Comparative Analysis of Active and Passive Mapping Techniques in an Internet-Based Local Area Network,” DNS: Domain Name Service, IETF RFC 1035 Master’s Thesis, Air Force Institute of Technology WrightPatterson AFB OH School of Engineering and Management, March EIGRP: Enhanced Interior Gateway Routing Protocol, http://www.cisco.com/warp/public/103/eigrp-toc.html 2004 [4] J. Nazario, “Passive system fingerprinting using network client HTTP: Hypertext Transfer Protocol, IETF RFC 1945 applications,” Crimelabs Research, January 2001, IEEE 802.11: Wireless Local Area Network standards, http://standards.ieee.org/getieee802/802.11.html erprinting_using_Network_Client_Applications.html http://www.windowsecurity.com/whitepapers/Passive_System_Fing [5] IMAP: Internet Message Access Protocol, IETF RFC 3501 NetViz: http://www.netviz.com Proceedings of the 2007 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY 20-22 June 2007 [6] A. Montigny-Leboeuf and F. Massicotte, “Passive Network Discovery for Real Time Situational Awareness,” RTO IST Symposium on Adaptive Defense in Unclassified Networks, Toulouse, France, April 19-20, 2004 [7] A. Orebaugh, G. Morris, E. Warnicke, and G. Ramirez, Ethereal, Syngress Publishing, February 2004, http://www.ethereal.com [8] “Monitoring with TCPDUMP,” http://wwwiepm.slac.stanford.edu/monitoring/passive/tcpdump.html [9] L. Deri and S. Suin, “Improving Network Security Using Ntop,” Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, October 2000, (http://www.ntop.org) [10] NMAP, http://www.insecure.org/nmap [11] Cheops, http://www.marko.net/cheops/ [12] Dsniff, http://www.monkey.org/~dugsong/dsniff [13] M. Zalewski, “The new p0f: 2.0.8,” 2006, http://lcamtuf.coredump.cx/p0f.shtml [14] The Subterrain Security Group: “Siphon Project,” 2000, http://siphon.datanerds.net [15] R. Lippmann, D. Fried, K. Piwowarski, and W. Streilein, “Passive Operating System Identification Using TCP/IP Header Fields,” ICDM, May 2002 [16] X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju, “VisFlowConnect: netflow visualizations of link relationships for security situational awareness,” Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 26-34, October 29, 2004, Washington, DC, USA [17] E. Gansner, and S. North, “An open graph visualization system and its applications to software engineering,” Software - Practice and Experience, 30(11), pp. 1203-1233, 2000 [18] S. Webster, R. Lippmann, M. Zissman, "Experience Using Active and Passive Mapping for Network Situational Awareness", Fifth IEEE International Symposium on Network Computing and Applications, July 2006 [19] B. Dayoglu and A. Ozgit, “Use of passive network mapping to enhance signature quality of misuse network intrusion detection systems,” 16th International Symposium on Computer and Information Sciences, November 2001 [20] R. Gula, R. Deraison, and T. Hayton, “Passive Vulnerability Scanning Introduction,” Tenable Network Security, http://www.tenablesecurity.com/images/pdfs/passive_scanning_tena ble.pdf, March 2006