Network telescopes: a vital tool in beating threats

By Ron Condon, UK bureau chief 17 Apr 2008 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

To have any chance of being effective in blocking these attacks, network administrators must be able to spot the danger signals early and act swiftly to minimize or prevent the damage.

One promising approach that could provide an early warning system is the network telescope, which some researchers claim, will be able to monitor and characterize malicious phenomena through specialized mathematical tools, sensors and virtual machines.

In the latest in our series of articles based on MSc theses from Royal Holloway University of London, Fotis Gagadis describes how network telescopes operate by searching the 'dark' areas of the internet where no legitimate traffic needs to go.

He explains how they work on the basis that attackers may inadvertently target non-existent areas of the Internet address range and use spoofed source addresses, which can also result in traffic being sent to non-existent addresses. Any messages reaching these unused IP addresses will by definition be illegitimate and therefore point to dangerous activity.

Gagadis, who did his BSc in Greece, says that from an early stage he began to see the business environment in military terms, where assets need to be secured and protected. Tutors and lecturers explained security at a high level, but he wanted to get down to more detail. After completing his Greek army service, he joined Lannet Communications in Greece and began to address security challenges at first hand. "My supervisor was a CCSP and CCNP and we spent a lot of time discussing the importance of security in a network and more generally in a business environment," he says.

This led him to look for a suitable MSc course, and he says he was delighted to be received on the RHUL course, despite knowing that having majored in business administration in his first degree, he was going to have to work hard on his computer science and mathematics.

So why choose network telescopes as a thesis subject? "The subject was very interesting and also very new. The concept only arose in the research community in recent years, and I found it more challenging than other subjects that I discussed with my supervisor Dr Wolthusen.

"It is important as a concept, in my point of view, because it can help system/network administrators or researchers working on security to learn more about the behaviour of DoS, DDoS and worm attacks in a network, and how a network and the systems might behave in such incidents."

He adds that network telescopes can give security admins and researchers a better view of their network. They can make better decisions based on statistical data, and if an incident occurs in their network, they are better able to decide the best course of action. For example, disable connections, use control mechanisms to minimize exposure, patch the systems, or disable any systems that might have been exposed.

Network telescopes can also complement IDS/IPS systems, he says. "In the case of CodeRed after the initial outbreak many admins or researchers knew the propagation mechanism and behaviour of this worm since the CAIDA organisation had already analyzed it with a network telescope. Therefore, admins knew that they had to patch their systems in order to protect any assets against future outbreaks of the worm if it reactivated.

Having completed his MSc last year, Gagadis now works as a system engineer at Cerner in the UK. To see his article, click HERE . This will also provide a link through to the full thesis.

Tags: Threat and Vulnerability Management,  Virtual Private Network Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results Network Security Management How to keep tabs on BitTorrent Covert channels could be funneling data out of your company Royal Holloway University of London MSc thesis Series NAC market failures spark some aggressive marketing Can CCTV camera security systems stop employee theft? Network access control will save public money in Nottingham Tor network 'bridges' help evade blockers Healthcare org eases compliance with network monitoring Arbor-Ellacoya deal melds security with broadband Virtual Private Network Security Expert calls SSL protocol vulnerability a non issue DNSSEC deployment challenges can be overcome How to integrate the security of both physical and virtual machines Companies tackle iPhone security with remote access features Q&A: Paul Dorey on DLP, deperimeterisation How to patch Kaminsky's DNS vulnerability Covert channels could be funneling data out of your company Network access control will save public money in Nottingham Jericho Forum discusses deperimeterisation, COA guidelines Reading FC keeps email under control

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary