Focus on – Viruses behind the firewalls and on your networks.
What happens when a virus does get through your firewall? How are you going to track it down and how are you going to stop it?
Most modern networks are reasonably well protected by Firewalls, yet viruses still manage to get through. There are a number of ways they still get in, but the issue we are focusing on here, is what to do when you suspect that Viruses are on your network.
The first issue is to measure the problem.
Most viruses learn there way around the network by using the IP subnet range of the infected machine to try and connect to other devices. This can be seen as a high level of broadcasting, typically ARP traffic which can be as high as several hundred packets per second.
This level of traffic alone will cause the network to run slowly as broadcast traffic has priority on the PC NICs meaning the PCs are doing nothing but processing these frames.
Solution
At this level you need some sort of network management tool that can do two things.
How much traffic is there? - Where is it coming from?
A simple handheld tool (Fluke Handheld range) will give you an indication of the level of broadcasting, but you might need some of the more extensive tools (Observer, Fluke Etherscope and above) to find the source of these frames.
Not all Viruses are this obvious, Some of the viruses out there take a bit more time in trying to work their way around the network and hence are not so obvious to spot.
In these situations, you need something that is capable of looking for Virus signatures. These devices need to look inside the packets, examine the content and compare this against known patterns of bits that viruses use. The issue here is that these solutions are always reactive and you have to keep them up to date with the latest profiles.
Solution
Networks Intruments Observer Expert is preconfigured with information on all common viruses, hack profiles and web chat systems. This is not a replacement for your firewall, but more a second line of defence. When the network runs slowly and you suspect some sort of Virus/Hacking type problem, all you need to do is tick the boxes in the Virus section and let the solution look for the profiles.
Alarms can be raised on the detection of any of these issues, so you don’t even have to look at the screens for hours at a time.
How do I stop this happening in the future?
The best you can do is keep on top of the situation. If you have some sort of Virus detection/IDS system it is basically as good as the last update you put on it. If you do have something like Observer, every time you find something on the network, work out how it got through, which port numbers it used, what PCs got infected and try and use this information to tighten up your defences.
Last Updated: 27/11/2009