How to use network packet analysis or firewall (Sonicwall) to spot a trojan? or unusual behaviour?
hi guys
Today we had a situation where on our LAN, ping times between our PC's to the servers were taking 20ms or 15ms, when usually they should take 1ms. Our phones that use Voip suddenly were crackling and would switch off. It was drastic!
Anyway, we first thought it was a switch issue. Later we realised it was a trojan. Once removed, everything went back to normal.
We have a Sonicwall NSA 3500 on the network. We also have wireshark on the servers.
Let's say I had no AV and it hadn't detected it. How would you have used either the Sonicwall or even Wireshark to analyse the data?
What would you have looked for? And if you would have looked for anything, then how would you explain it to a very basic user like myself so that I could also pick it out and find out what was going on?
Thanks
Yashy
Today we had a situation where on our LAN, ping times between our PC's to the servers were taking 20ms or 15ms, when usually they should take 1ms. Our phones that use Voip suddenly were crackling and would switch off. It was drastic!
Anyway, we first thought it was a switch issue. Later we realised it was a trojan. Once removed, everything went back to normal.
We have a Sonicwall NSA 3500 on the network. We also have wireshark on the servers.
Let's say I had no AV and it hadn't detected it. How would you have used either the Sonicwall or even Wireshark to analyse the data?
What would you have looked for? And if you would have looked for anything, then how would you explain it to a very basic user like myself so that I could also pick it out and find out what was going on?
Thanks
Yashy
You have a really good firewall. It has options for very strict analysis of incoming packets: Unified Thread Management, etc. That's probably the best defense at the gateway. Other than that, what thinkpads_user said: Good A/V. You can and should train the users but people are fallible, everyone falls for something eventually. So the best plan is don't let the bad stuff get in in the first place, which goes back to the firewall and using its to protect your network.
Bottom line: As many layers of protection as is reasonable without grossly interfering with users getting their work done.
(Where I work a "No Downloads" policy is not feasible, not because I haven't pushed for it but because of the type of work we do and management's perception (right or wrong) that creativity would be seriously stifled if we didn't allow some freedom...)
Bottom line: As many layers of protection as is reasonable without grossly interfering with users getting their work done.
(Where I work a "No Downloads" policy is not feasible, not because I haven't pushed for it but because of the type of work we do and management's perception (right or wrong) that creativity would be seriously stifled if we didn't allow some freedom...)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Was out of the country chaps. I appreciate all of this guys. Thanks for your help. FIY, I'll be working on the Sonicwall info and reading up on packet analysis also.
So all you have in a typical sniffer (I use CommView) are packets with IP addresses. You can view some packets, but out of thousands of packets for just several users, it is unlikely you can spot anything.
Best defense:
1. Strong, paid, commercial anti-virus.
2. Recognize no A/V will catch it all, but the best paid A/V are better than most free A/V.
3. Train your users: Use only business sites, do not download anything (anything) without IT approval, keep home Facebook and Twitter at home. Make NO mistake: People who think they do not need to obey rules ARE your problem.
... Thinkpads_User