Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

network protocol analysis and lockdown

Status
Not open for further replies.
Sep 29, 2008
105
CA
Hi,

can you tell me what tools exists out there for analyzing which protocols are being used by what ip and locking that down? Any help is much appreciated. Thanks.
 
It depends on what you really are looking for. Are you looking for something like an IPS that can look for patterns and shut down traffic automatically, or can they be separate tools?

For monitoring, there are two basic methods. The first is to install a hub inline or create a mirrored port on a managed switch and plug in a laptop or server running a sniffing package like ntop. The second would be to enable netflow on your router (if it's a cisco) or install a linux server as a bridge running a netflow probe and then use a netflow aggregator to log and analyze the traffic. Ntop does this as do a bunch of others. I've been using this one and really like it:

Once you identify who you want to cut off, then it's as simple as adding firewall rules or static routes to nonexistent gateways.

If you want to be able to do it all automatically, I recommend looking into snort-inline. Snort-inline is a statefull packet inspector that identifies patterns in traffic that you can customize and applies a rule, such as dropping, rejecting redirecting, etc. It has somewhat of a learning curve, but is a fairly powerful tool. I believe you can also configure snort to add/remove iptable rules to accomplish the same thing without running it 'inline'
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top