6.2.2 Network Monitoring
Network Monitoring Overview
Definition and Purpose of Network Monitoring
Goal: Keep track of network conditions, identify potential problems, pinpoint sources of issues, and locate areas for upgrades or modifications.
Importance: Recognizing top talkers (computers sending the most data) and top listeners (hosts receiving the most data) is critical for threat detection, like unauthorized data transfers signaling potential data breaches.
Role in Endpoint Hardening:
Monitoring is essential to enforce and maintain security measures established during the hardening process.
Continuous monitoring helps detect changes that can weaken configurations, like:
A previously disabled port becoming active.
A disabled service being enabled.
Alerts analysts to these changes, which may indicate security breaches.
Network Monitoring Tools
Basic Tools and their Functions
Ping Command:
A foundational command-line tool that tests connectivity between two network devices.
Works by sending ICMP (Internet Control Message Protocol) packets to specified devices and awaiting responses.
Syntax:
ping <target IP address or hostname>Key switches:
-t: Continues sending ICMP packets until manually stopped.-a: Resolves addresses to hostnames.<count>: Specifies the number of packets to send (default is 4).<size>: Specifies packet size in bytes (default is 32 bytes).
Tracert/Traceroute:
Tracert is specific to Windows and uses ICMP packets.
Traceroute is used in Linux and traditionally uses UDP packets.
Displays the path packets take to their destination, showing each hop (device the packet passes through).
Useful for identifying downed network devices or latency issues.
Pathping:
Windows command that combines the functions of both tracert and ping.
Helps locate network devices that are either down or contributing to latency issues.
Netstat:
A command that displays various network statistics in Windows and Linux.
Information includes:
Connections for different protocols
Open ports
Running programs
Common switches:
-a: Displays all connections and listening ports.-b: Shows the executable involved in each connection.-f: Displays the fully qualified domain name (FQDN) for foreign addresses, if possible.-r: Displays the routing table.-p <protocol>: Shows connections for a specified protocol (e.g., TCP, UDP).
Route Command:
Used to view and modify the routing table.
Applicable in both Windows and Linux platforms.
ARP (Address Resolution Protocol):
Command used to match IP addresses to MAC addresses on a local network.
Displays, adds, or removes ARP information.
Common switches:
-a: Displays current ARP entries.-d <inet_addr>: Deletes the specified host.
Nslookup/Dig:
Tools for viewing and modifying DNS settings.
Nslookup is utilized in Windows while Dig is primarily for Linux.
IP Configuration Tools:
ipconfigandifconfigcommands are used in Windows and Linux respectively.Display local computer's IP configuration, showing:
Adapter name
Adapter MAC address
DHCP status
IPv4 and IPv6 addresses
Subnet mask
Default gateway
DHCP server
DNS server.
Hping:
A security tool that checks connectivity and analyzes targets, capable of sending ICMP, TCP, and UDP packets.
Primarily designed for Linux but can also be installed on Windows.
Netcat:
A versatile security tool that reads and writes data across TCP and UDP network connections.
Capable of opening TCP connections, sending packets, scanning for open ports, and listening on specific ports.
Can be downloaded from the internet.
Nmap:
A complex network security scanner used to scan entire networks or specific IP addresses.
Gathers information such as open ports, running services, and operating systems.
Offers several protocols and options depending on the context of the network or device scanned.
A command line tool with an optional GUI version called Zenmap.