network protocol analysis and lockdown

[hortonhearsawho]

Hi,

can you tell me what tools exists out there for analyzing which protocols are being used by what ip and locking that down? Any help is much appreciated. Thanks.

 

[vortmax]

It depends on what you really are looking for. Are you looking for something like an IPS that can look for patterns and shut down traffic automatically, or can they be separate tools?

For monitoring, there are two basic methods. The first is to install a hub inline or create a mirrored port on a managed switch and plug in a laptop or server running a sniffing package like ntop. The second would be to enable netflow on your router (if it's a cisco) or install a linux server as a bridge running a netflow probe and then use a netflow aggregator to log and analyze the traffic. Ntop does this as do a bunch of others. I've been using this one and really like it:

http://manageengine.adventnet.com/products/netflow/index.html

Once you identify who you want to cut off, then it's as simple as adding firewall rules or static routes to nonexistent gateways.

If you want to be able to do it all automatically, I recommend looking into snort-inline. Snort-inline is a statefull packet inspector that identifies patterns in traffic that you can customize and applies a rule, such as dropping, rejecting redirecting, etc. It has somewhat of a learning curve, but is a fairly powerful tool. I believe you can also configure snort to add/remove iptable rules to accomplish the same thing without running it 'inline'