Intrusion Detection with NetScope

The office that didn’t believe there was any serious problems with their network.
 
1 2
Chinese IP addresses
Chinese IP addresses
SYDNEY - Aug. 13, 2015 - PRLog -- Here is a real-world example of how NetScope can be used to detect intrusions and network compromises. Turbosoft Networks was recently asked to examine traffic at a small office with NetScope. This was a branch office and was not hosting any services, using the cloud for things like Email, CRM, and ERP. They had about 15 users on site and they were having some delays which they wanted investigated.

NetScope was set up in monitor mode to examine traffic passing through a Cisco switch. This switch was the main switch of the network so all traffic was passing through this device and NetScope could see all Internet traffic.

NetScope finds some unusual data

On examination the Internet traffic it appeared to be as expected as it was mostly secure web traffic passing to and from their cloud services, with a number of different recreational sites being used especially during lunchtime. However, what was peculiar was that NetScope showed unusual traffic passing in and out of the network using SSH port 22 (secure shell, an encrypted link often used to connect to computers securely together). As was mentioned previously, this site did not host any services locally, and in fact did not even connect remotely to any other SSH servers.

An Internal IP address appears to be acting as an SSH server

All of this external traffic was passing to and from the internal IP address 192.168.15.130 which was a local PC. Upon further examination this PC, which was running Linux, was being used by one of the office workers as his main PC and he stated he was not hosting any services on his PC and that this SSH traffic should not be occurring. It gets a bit more worrying at this point when we start to examine the location of these remote IP addresses.

Why is this traffic coming from China?

Here we can see two IP addresses originating in China which were streaming traffic in and out using the SSH port to the office workers PC. This rang alarm bells as this office was not hosting any services and certainly have no business in China. As it turned out there was a legacy firewall rule which was forwarding all port SSH traffic to the internal IP address 192.168.15.130 so effectively this PCs port 22 was exposed to the world and may have become compromised.

NetScope indecated the office needed to block all traffic trying to enter on SSH port 22

An immediate fix was to use NetScope to block all port 22 SSH traffic in the inbound direction which immediately halted all access to the potentially compromised PC. Luckily for this small office, and particularly the user who was potentially compromised, these turned out to be ‘brute force attacks’ from China. That is, these were automated scripts trying different username and password combinations to try and gain access to this exposed PC. An examination of the SSH log file on the suspect PC indicated that all these attempts were failing.

Crisis averted

If you would like more information about intrusion detection with NetScope please feel free to contact us.

Or visit our YouTube channel and take a look at all the great things you can do with NetScope.

Turbosoft Networks YouTube channel

You might also want to check out a demonstration on your own network.

Come grab a demo

End
Source: » Follow
Email:***@turbosoftnetworks.com
Posted By:***@turbosoftnetworks.com Email Verified
Tags:Network Monitoring, Intrusion Detection, Network Security, Hacker, Hackers, Crackers
Industry:Computers, Internet, Security, Software
Location:Sydney - New South Wales - Australia
Subject:Reports
Account Email Address Verified     Account Phone Number Verified     Disclaimer     Report Abuse



Like PRLog?
9K2K1K
Click to Share