Estimating network performance A lot of things can negatively impact network performance, from poor device drivers to competing traffic to inconsiderate users downloading gigabytes’ worth of MP3s on your network. All this makes for poor relations between the users and your technical staff. You need a method of determining that traffic and balancing sufficient load with your business needs. To estimate the performance of your network, you need to understand the traffic that it will sustain. Are your users able to connect to the Internet and download MP3- or AVI-type files? Are network people using the wireless spec- trum to download large patches and configuration files? How many users are on the network at a given time and what are their main job functions? The performance of your wireless network depends on factors such as dis- tance to an access point, structural interference of buildings and walls, and placement and orientation of devices, especially antennae. You really need expert advice to do this well. Sites such as www.csm.ornl.gov/~dunigan/ netperf/netlinks.html can provide you with tons of detailed information on performance issues and calculations. Another interesting site is the Cooperative Association for Internet Data Analysis ( www.caida.org), which offers specialized advice on Internet network traffic analysis. You might use this to determine the speed of your Internet connections. You can use a rough formula, though, to calculate an estimate of traffic load on your network. Appendix C contains a table that provides frequencies and their data rates. Using 802.11b as an example, you see that data transfer can occur at up to 11 Mbps. Of course, the likelihood of you achieving anywhere near that speed is remote, so taking a conservative estimate of 5 Mbps, you can begin to calculate traffic load. Next, you need to know what you might be using over the network, such as e-mail or file transfer. If you are transferring a 1MB file, then divide that by 5 Mbps to get a transfer time of about 200 milli- seconds (ms), assuming nothing else is going on. E-mail or other traffic may only consume perhaps 100 Kb, or roughly 10 e-mails for each megabyte. So, all things being equal, you can do a very rough estimate by deciding how many e-mails and file transfers will occur on the wireless network and then adding the number of users who might be connected to determine a threshold. You can use similar numbers for your 802.11g or 802.11a networks. But this is so elementary that it might not give you any real basis for determining overall performance. To really get anywhere using real statistics, you need some form of toolkit. You can purchase network simulation tools for this task, such as OPNET Modeler ( www.opnet.com/products/modeler/home.html) or their ServiceProvider 266 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting 21_575252 ch15.qxd 9/2/04 4:09 PM Page 266 Guru. If these are too pricey, perhaps Dummynet (http://info.iet.unipi. it/~luigi/ip_dummynet ), a free BSD-based product, might be useful. A good thing about this software is that you don’t need to install BSD to run it; it comes on a bootable floppy disk. Plug it in and begin testing your bandwidth. Okay, it isn’t quite that simple — you may need to add your wireless network adapters. Other tools include the AirMagnet Handheld by Airmagnet, Inc. ( www.air magnet.com ), which runs on Pocket PC devices. This tool can detect and send out alerts for over 80 wireless security and performance conditions. It also offers built-in tools for site surveying, connection troubleshooting, and coverage mapping. All that and you can wander around with it in your back pocket. Naturally, they also offer a version that runs on a laptop, for those of you with other needs or without Pocket PCs. Another tool, Fluke Network’s OptiView Series II Network Analyzer ( www.fluke networks.com/us/LAN/Handheld+Testers/OptiView/Overview.htm ) not only analyzes the traffic, but also offers traffic generation capabilities, so you can flood the network and see how it responds. If these do not appeal to you, try Airopeek ( www.wildpackets.com/products/ airopeek ), which does a similar level of performance analysis as the others, analyzing signal strength and channel and data rates. You see in Chapter 16 how to use Airopeek to discover rogue APs. Windows NT Magazine ( www. winnetmag.com/Files/25953/25953.pdf ) offers a long list of such analyzers along with some general information about them. They include more of the high-end versions than we do in this book; so if you are flush with cash and think you need something stronger and more powerful, check it out. With these tools, you want to find out how busy your network is at any given point. You do this by checking the traffic throughout a given time period and determining whether it meets your expectations. What expectations, you say? Well, that depends on you and what the wireless network is used for in your business. Is it a mission-critical application network? Is it merely offering a few Tablet PC users access during boardroom meetings? Do customers rely on it? All these need consideration to determine whether you care if the net- work gets busy and bogs down. Hopefully, you answered these questions when you developed your plan. You did develop a plan, didn’t you? (If not, hurry to Chapter 2.) To determine whether your network is operating at sufficient capacity, you can use CommView for WiFi from Tamosoft ( www.tamos.com/products/ commwifi ), which is a wireless network packet analyzer. This tool is specific to wireless networks and offers many capabilities besides packet sniffing. One 267 Chapter 15: Dealing with Network Throughput Issues 21_575252 ch15.qxd 9/2/04 4:09 PM Page 267 of its features is statistical analysis, which you can use to determine how busy your network is at any given time. Running this over several different time periods in a week can provide you with valuable information. You must know where you are in order to know where you are going. When CommView for WiFi is running on your machine, it places the adapter in a passive mode. This means it cannot connect to the wireless network as a functioning client, so you cannot perform your regular business while also running the program. This is unfortunate, but setting up a machine specifi- cally for monitoring is not necessarily a bad thing. The installation is fairly straightforward, like most Windows software these days. Once installed, it offers a number of options, as you can see in Figure 15-1. We discuss many of the settings later on in this chapter. For now, if you select View➪Statistics, you see a page like that shown in Figure 15-2. This is where you can determine how well your network is running. It offers a number of options. As you see, the Statistics menu offers Packets per Second analysis as well as Bytes per Second. The Bytes per Second can be changed to show Bits per Second. For each of these fields, the program shows the current average. Using this, you quickly see the overall impact your users are having on the network and can determine whether that impact is high or reasonable. Within the Statistics page, there are seven tabs to select from, starting with the General tab that appears when you first open the statistics page. This tab offers the overall statistics, as mentioned previously. The next six tabs are shown in Table 15-1. Figure 15-1: Viewing the CommView for WiFi main menu. 268 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting 21_575252 ch15.qxd 9/2/04 4:09 PM Page 268 Table 15-1 Options Available in the Statistics View Tab Description IP Prot. This tab shows you the IP protocols. IP Sub-prot. In this tab, you see the other protocols, such as FTP and HTTP. Sizes Here you can easily see the packet sizes in use across the network. LAN Hosts (MAC) This shows the hosts on your system using their MAC addresses. LAN Hosts (IP) This shows the hosts on your system using their IP addresses. Report On this tab, you can set the parameters for your reports. All these can be used to provide a fairly detailed view of your network, show- ing you trouble spots and overall utilization. You cannot obtain data if the system is using WEP or WPA unless you add the proper keys because all packets are being encrypted. You add the keys to CommView for WiFi by selecting Settings➪WEP/WPA Keys and entering the keys in the space provided. Figure 15-2: Viewing the CommView for WiFi Statistics menu. 269 Chapter 15: Dealing with Network Throughput Issues 21_575252 ch15.qxd 9/2/04 4:09 PM Page 269 To start using all these tabs, you need to begin capturing packets so you can obtain some actual data. After you identify and input the proper keys, you need to start the capture process. Simply follow these steps: 1. Open the CommView program if it is not already open. 2. Click the Start icon, or select File➪Start. A new screen called Scanner appears. This screen locates the wireless networks in the vicinity. In the Scanner section, click Start Scanning. 3. The program will scan all channels for wireless signals and show them to you under the Access Points and Hosts section. Selecting one of the networks shown produces details about that network under Details. You see this in Figure 15-3. 4. Choose one of the networks and click Capture. CommView begins to capture packets. 5. Select View➪Statistics to see how your network is handling the band- width load. Another window shows the current data from the network you chose in Step 4. We chose a very large download from Microsoft, and in this exam- ple, we are using only one machine on the wireless network. You can see from Figure 15-4 that this creates a bandwidth load of about 4 or 5 percent Figure 15-3: Viewing the CommView for WiFi Scanner page. 270 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting 21_575252 ch15.qxd 9/2/04 4:09 PM Page 270 (the figure is showing 4.6 percent). With a few more users on the network, each downloading files or sending e-mails, this small network will quickly be overloaded. As you can see, the tool allows for some useful data collection. In the other tabs, you can parse this data in a number of ways. In the IP Prot. tab, you see the number and type of packets (TCP, UDP, etc). In the IP Sub-prot. tab, the data is divided by the lower or sub protocols in use, such as HTTP, FTP, or POP. This can be especially useful to help you determine what your users are doing with the bandwidth. You can review the use of the other settings using Table 15-1. 6. You can run a report using the Report tab and provide details in either HTML format or comma-delimited format depending on your needs This enables you to produce an informative report for your management on overall performance of the network. Stop the program at any time by selecting File➪Stop Capture. The program offers a solid method for determining overall network perfor- mance at any given time. Running it at different times of the day and different days of the week and capturing the results in logs enables you to compare the data over time periods that you might feel are busy or indicative of the over- all state of your network. Now you can determine whether one particular user is abusing the bandwidth, or whether a particular protocol is being heavily used, and take appropriate action. Figure 15-4: CommView Statistics page showing utilization figures. 271 Chapter 15: Dealing with Network Throughput Issues 21_575252 ch15.qxd 9/2/04 4:09 PM Page 271 You might also use the data gathered in this program to ensure that staff are abiding by any policies and standards you might be enforcing across your network. Chapter 10 discusses the types of standards you may want to use. Sniffing your traffic It’s not polite to sniff in public, is it? It may not be polite to sniff your network traffic, either, but there are sometimes good reasons for doing that. You can look into packets and see what is happening. You can check for cleartext pass- words and use that information to press for changes to systems still using such weak authentication. Other reasons include checking for wrong syntax of http requests or POP3 and ftp commands, or seeing what ports an applica- tion is using. We use packet sniffers with clients on a regular basis when they need to allow an application to pass through a firewall but don’t know which ports are needed. Sniffing the packets while the application runs is a simple way to determine that. We can recall one instance in which a service provider was confident that a particular application only needed one specific port to be open on the firewall, and was therefore not at risk. Using a packet sniffer, we discovered that the application actually opened different ports each time it ran, meaning we would have to open the entire range between our client and the other organization. This was just not acceptable, and we proved it with the sniffer. A newer version that acted properly eventually resolved the issue, allowing us to permit one open port and no more. There are other reasons for using such applications. We discuss a few of them in previous chapters in discussions about hacking. We also provide you with a number of such tools in Chapter 17. So how do you use a network sniffer? Continuing on with our example of CommView for WiFi, you select some of the other tabs shown on the main page. The following steps show you how to view data and other information found in a network packet. 1. Click the Start icon or select File➪Start. A Scanner screen appears. This screen locates the wireless networks in the vicinity. Under the Scanner section, click Start Scanning. The program scans all channels for wireless signals and shows them to you under the Access Points and Hosts section. Selecting one of the net- works shown produces details about that network under Details. (Refer to Figure 15-3.) 272 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting 21_575252 ch15.qxd 9/2/04 4:09 PM Page 272 2. Choose the network you wish to view, if more than one choice is avail- able, and select Capture. The program starts capturing packets. 3. Click the Packets tab. A screen will appear looking something like the one in Figure 15-5. Note that by dragging the mouse over the lines separating each section of the page, you can resize each section. Three sections are shown: • In the first section, you see each packet on one line with high-level information about it, such as the protocol, MAC address, IP address, the ports in use, and other fields. This alone provides enough infor- mation for tracking rogue applications to determine what source and destination ports they require. • The second section shows the actual data within the packet. It is here you will see cleartext passwords when any are passing across the network, as well as any other information, such as Web sites being visited or file transfers. Figure 15-5: CommView showing packet details. 273 Chapter 15: Dealing with Network Throughput Issues 21_575252 ch15.qxd 9/2/04 4:09 PM Page 273 • The third section provides detailed information on the actual packet, delving deeply into each one to show the SSID, WEP parameters, the band (a, b, or g), the channel, and a whole pile of other information. This section is only for network administrators who truly under- stand how TCP/IP works and can make sense of things like the ACK and SYN and ARP response. If you dig around, you’ll find the BSSID and other useful data you should recognize from the various chap- ters in this book. 4. When you have collected a reasonable amount of information, stop the collection by selecting File➪Stop Capture. You can then save this data to a file for later viewing and analysis using the options found under the File menu. Don’t let your network packet capture run for hours on a large network with- out checking to see whether you need that amount of information and ensur- ing you have enough hard drive space to hold it. It will quickly amount to tens of megabytes. It may also considerably increase your CPU usage and make the application less responsive. Consider filtering out packets you don’t need for your analysis. You see from these steps that the amount of data collected and the detail you can get from each packet is prodigious. You may want to read the book, TCP/IP For Dummies, 5th Edition, by Candace Leiden and Marshall Wilensky (Wiley), to find out more about this protocol. We warned you that the amount of data you can collect can be huge. You may want to filter out those packets that aren’t useful to the purpose of your col- lection. If all you want is statistical information, the green histograms, pie charts, and hosts tables, then use the Suspend Packet Output menu command, which allows you to collect statistical data without real-time packet display. You do this by selecting File➪Suspend Packet Output after selecting the Start Capture option. This stops showing the packets, but keeps the statistical information for your charts. You may want to select the Rules tab and then select options that will limit what is collected. The options on the left side allow you to select an impres- sive level of detail. You can see from Figure 15-7 that you can select traffic going to or coming from only certain MAC or IP addresses. You can specify specific ports to collect only certain application data, like FTP (23) or HTTP (80). You could also capture packets containing certain text information. This could be very useful in an investigation following up complaints of sexual harassment or other inappropriate use of your e-mail system. Naturally, you need to be sure that you follow any laws governing such access, and that you do not cross any privacy boundaries. 274 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting 21_575252 ch15.qxd 9/2/04 4:09 PM Page 274 In Figure 15-6, you see that we have selected only ports 21 and 23 because we want to know what Telnet and FTP sessions are crossing the network. This merely touches on the use of this powerful tool, and we recommend that you study the documentation intensely to discover its full potential. Whether you use CommView or any of the other fine tools available, learning the details will allow you to respond quickly and effectively to any need you may have in your business. One of the useful items that we will mention is the ability to reconstruct a ses- sion. This is useful because you certainly won’t want to wade through every packet one by one, trying to see specific Web site or FTP session details. By right-clicking on the initial packet, you can select the Reconstruct This TCP Session option. You see this option in Figure 15-7. If you select that option, the program reads all the packets pertaining to that session and provides you with a clearer look. You see the results in Figure 15-8. Note that you can modify the results to appear in ASCII (shown), HTML, or other display types depending upon your need. When you view FTP, Telnet, or Web site logins, or even that rogue application, this brings it all to bear and allows you to see the big picture. Figure 15-6: Setting CommView to collect specific packet information. 275 Chapter 15: Dealing with Network Throughput Issues 21_575252 ch15.qxd 9/2/04 4:09 PM Page 275 [...]... your 80 2.11 and 80 2.15 gear will help you understand the magnitude of your problem Many companies have emphatically stated that they had no wireless networks, only to find out they did This chapter is for those who acknowledge that they have wireless networks installed (and for those who don’t) Discovering the Extent of Your Wireless Network You have many ways to discover that you have wireless networks. .. systems (host- or target-based IDS) and networks (network-based IDS) More recently, vendors have developed a wireless intrusion detection system (WIDS) for wireless networks A WIDS can monitor and analyze user and system activities, recognize patterns of known attacks, identify abnormal network activity, and detect policy violations for WLANs Wireless IDS gather all local wireless transmissions and generate... Network Associates Sniffer Wireless: www.sniffer.com ߜ Network Instruments Network Observer: www.networkinstruments.com ߜ Tamosoft CommView: www.tamos.com/products/commview ߜ WildPackets AiroPeek NX: www.wildpackets.com You can find more information about wireless sniffers at www.personaltelco net/index.cgi/WirelessSniffers and www.blacksheepnetworks.com/ security/resources /wireless- sniffers.html If... www.airtouchnetworks.com 285 286 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting ߜ dstumbler: www.dachb0den.com/projects/dstumbler.html ߜ kisMac: www.binaervarianz.de/projekte/programmieren/kismac ߜ kismet: www.kismetwireless.net ߜ MacStumbler: www.macstumbler.com ߜ MiniStumbler: www.netstumbler.com ߜ NetStumbler: www.netstumbler.com ߜ WaveStumbler: www.cqure.net/tools.jsp?id= 08 As... Unsupported protocols ߜ Unauthorized vendor hardware Wireless intrusion detection systems work by continuously scanning an organization’s airspace for evidence of an attack underway against the network Your IDS strategy should have two components: You should look for wirelessbased attacks, and you should look for IP-based attacks The wireless IDS should focus primarily on wireless attacks and not perform... you simply put a NIDS at the wireless AP choke point Figure 16-5 shows how a WIDS and NIDS can work together WLAN Wireless laptop WIDS AP Firewall NIDS Internal LAN Router Figure 16-5: A WIDS and NIDS working together Internet A wireless network requires both IDS technologies to provide proper visibility and coverage The wired NIDS cannot detect any wireless- based attacks or wireless threats Basically,... www.3com.com ߜ AdRem Software NetCrunch: www.adremsoft.com ߜ Castle Rock Computing SNMPc: www.castlerock.com 287 288 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting ߜ Cisco CiscoWorks: www.cisco.com ߜ Computer Associates UniCenter Application Performance Monitor: www.ca.com ߜ Enterasys Networks NetSight Atlas: www.enterasys.com ߜ HP OpenView: www.hp.com ߜ IBM Tivoli: www.ibm.com ߜ Ipswitch... and application scanners, and now wireless scanners Vulnerability scanners work by doing a point-in-time review, looking for known problems and reporting them to you Among the wireless vulnerability scanners are ߜ AirMagnet: www.airmagnet.com ߜ ISS Wireless Scanner: www.iss.net ߜ WaveSecurity Wavescanner: www.wavesecurity.com Figure 16-2 shows you access points that Wireless Scanner found Click the... Commview detecting a rogue access point 281 282 Part IV: Keeping Your Network on the Air — Administration & Troubleshooting Chapter 16 It’s Ten O’Clock: Do You Know Where Your Access Points Are? In This Chapter ᮣ Discovering the extent of your network ᮣ Using tools for discovery ᮣ Detecting wireless intrusions ᮣ Building an incident handling program ᮣ Auditing your wireless network A big part of managing... improve awareness of the threats to the WLAN As well, a wireless IDS can detect some denial of service attacks, such as flooding authentication requests or disassociation/de-authentication request frames A wireless IDS attacks another problem head-on by detecting the presence of MAC address spoofing A wireless IDS also has the ability to recognize ad hoc networks Finally, you can baseline traffic to identify . acknowledge that they have wireless networks installed (and for those who don’t). Discovering the Extent of Your Wireless Network You have many ways to discover that you have wireless networks. You could send. will occur on the wireless network and then adding the number of users who might be connected to determine a threshold. You can use similar numbers for your 80 2.11g or 80 2.11a networks. But this. Scanner appears. This screen locates the wireless networks in the vicinity. In the Scanner section, click Start Scanning. 3. The program will scan all channels for wireless signals and show them to