Cacti, Squid and Snort Your Way to Secure Networks

Most engineers have more monitoring on their transmission facilities than they do on their local network May 11, 2016

I have found that most engineers have more monitoring on their transmission facilities than they do on their local network. Nonetheless, the engineering network has become critically important with the advent and implementation of audio over IP and the need to access the Internet for virus updates, Windows updates and show audio downloads.

Engineers need to keep an eye on their networks. We cannot take the word of outside support that our critical infrastructure is working, nor can we just sit back and assume we are operating normally. Engineers need to control access to ensure that the engineering network is virus and malware free.

The Cacti user interface shows inbound and outbound bandwidth generated by the LAN.
This article is not a comprehensive list of everything that you need to do to secure a network or enable monitoring; rather, its goal is to give an engineer an idea of where to start. Monitoring and controlling the local network is just as important as monitoring the modulation on your FM signal or your pattern on an AM station.

I have stated in previous articles that whatever is connected to the Internet can be hacked; all you can do as an engineer is manage the risk to which you are exposing your network when you enable Internet access.

Some engineers manage this risk by not enabling access to the Internet on any of their machines. Other engineers manage this risk by enabling firewall technologies, network monitoring and restricting access.

I tend to be a little more paranoid than most when implementing network access to the Internet; to counter that fear, I utilize free technologies that require a bit of elbow grease to get running. The technologies that are commonly used are Squid proxy servers, Snort IDS servers, Cacti SNMP monitoring servers and firewall access rule restrictions.

These technologies help manage the risk of having Internet access on the engineering network. Most of these are Linux-based and as such are available free of charge. These services can all be installed together and run from a single Linux-based server computer.

KEEP AN EYE ON SECURITY

Configuring Firefox proxy
Monitoring the network is one of the first security tasks an engineer needs to accomplish.

Cacti is an open-source network monitoring tool that can monitor almost anything on the network that uses SNMP. I utilize Cacti exclusively to monitor my switched Ethernet network and Cisco-based routers; it provides status on bandwidth utilization, port error count and CPU utilization.

In its most basic form, Cacti does a fantastic job of letting an engineer know how much bandwidth is in use and which computers are using it. If the bandwidth in use changes drastically, this can be an indication of a network-related issue. Knowing how much bandwidth is in use allows an engineer to adequately plan for network capacity and to see if network hardware is failing or over-subscribed.

Cacti can be used to monitor Windows or Linux-based computers on the network for general health status as well. It is a great tool for keeping an eye on the basic health of the network, creating baseline network utilization logs and monitoring the health of network hosts. Cacti can be loaded on Windows or Linux; the Cacti website has a wealth of information and downloads for multiple platforms.

Its website is www.cacti.net.

CONTROL ACCESS

Another aspect of maintaining the network is controlling the data access. I do this by using a product called Squid. It is mainly used as a Web cache proxy server, but it can be configured to proxy FTP traffic. When properly configured, it will intercept, scan and control all the Web and FTP data going in and out of the network.

Configuring Internet Explorer proxy
Since it intercepts the data, Squid can control how that data is handled. Squid can be configured to scan the data for malware or viruses and it can also be configured to block access to certain Web or FTP sites. If Squid detects a problem with the scanned data, it will drop the data and inform the engineer that it has detected an issue. Squid has the capability to log all web traffic and generate reports.

All of the clients on the network need to be configured to send data through the Squid proxy server. The configuration is easy and can usually be done within a couple of minutes per machine. Once this configuration is done, none of the client machines will be able to communicate directly with websites or FTP servers; and because none of the clients can communicate directly with Web or FTP servers, it is a great time to block all FTP and Web access at the firewall. The only device that should be allowed to access Web or FTP services on the Internet is the Squid proxy server.

The real drawback of Squid is that there is no real GUI interface for it; it is completely configured and administered from the command line. (If you are in need of a GUI, Webmin is a loadable package for most Linux systems that has Squid configuration support.)

Squid can be loaded on Windows or Linux and is free of charge. More information about Squid and software downloads are found at www.squid-cache.org.

INTRUDER ALERT

Tools ready to use for Squid webmin
Click To Enlarge
The final piece of monitoring for the network is use of a Snort server. This is considered an Intrusion Detection System. An IDS scans the network for various malware and virus signatures. Once a signature is detected, the IDS alerts the engineer. An IDS does not take any action on the network to stop the virus or malware: It is up to the engineer to take action and correct the issue.

In order to use Snort, one port on the switch is set to mirror or receive all of the switch traffic, and Snort server is then plugged into this port. (Because switches are designed to direct network traffic only to destinations that are specified, we need to mirror a switch port. The actual terminology and command set in Cisco IOS is SPAN, for Switched Port Analyzer.)

Snort needs to see all of the traffic on the network to work properly. What I do is mirror the port on the switch that the Internet router is plugged into; in this way I can use Snort to monitor all of the incoming and outgoing Internet traffic. This is very useful since the Squid server will only see the Web or FTP traffic on the network. Snort will see all of the traffic coming in from or going out to the Internet. Information about Snort and downloads are located at www.snort.org.

There are also commercial products that will encompass all of the individual technologies listed above. These products are usually a “one size fits all” solutions that have significant price tags. Go ahead and install one of these if you have the budget. If you don’t have the budget, the three technologies I covered briefly will do a nice job of giving an engineer visibility and control of his or her local network.

Cottingham is a Cisco, Microsoft and CompTIA instructor with 25 years experience in IT and radio engineering. He’s the chief engineer of KFMK in Austin, Texas.

Receive regular news and technology updates. Sign up for our free newsletter here.

Comments