Lab Notes

This site is being maintained for archival purposes only.
There will not be any maintenance or updates after 10/01/2006.

      Notes on Snort setup (with BASE): (pdf or doc)

      The Security Center recently installed the RSA ACE Authentication Manager Version 6 in a Windows 2003 Service Pack 1 environment for use with SecurID® tokens.  We have written about our implementation experiences with:

• RSA ACE server installation  (doc) or (pdf)
• Domain based authentication, installation and configuration (doc) or (pdf)
• Local authentication for an XP client (doc) or (pdf)

      Wikipedia defines a packet as, "the fundamental unit of information carriage in all modern computer networks." Therefore any computer that communicates over a network uses packets, and if the network is configured correctly those packets can be analyzed (sniffed), or so we thought.

     The mystery began after we had installed our new ISS Proventia A201 Intrusion Detection appliance. The setup was simple, a Linksys EtherFast® 8-Port 10/100 Auto-Sensing Hub(Model# EFAH08W) with a few boxes connected to generate traffic and our IDS connected to monitor. Upon completion of the IDS management software install we at the Security Center were eager see what this IDS was really made of. Everything was connected and turned on, we fired up the IDS and much to our surprise it was quiet, too quiet, nothing was happening, in fact the IDS wasn't seeing any packets going across our network. Strange, it should've seen something we were connected to the Internet. We then proceeded to take a long look at our configuration and finally gave ISS tech support a call. For about four days ISS tried to help us figure out why our IDS could not sniff any traffic. As a last ditch we connected additional Proventia from a different facility to sniff our network which returned the same results, no packets. At this point we decided that the problem wasn't with the IDS and that the issue was coming from somewhere else. Network testing proceeded with a variety of monitoring tools including Snort, MS-Network Monitor, and Ethereal. Oddly enough none of these applications could sniff any traffic off our network as well. The problem was with our network, it was just a simple setup, a few boxes connected to the Net through a hub.

      According to Wikipedia a hub, "is a central node in a network. The term comes from the analogy to a wheel's hub, the center. A hub is a computer networking device that connects multiple Ethernet segments together making them act as a single segment. When using a hub only one computer connected to the hub is able to transmit at a time. With a hub every attached device shares the same broadcast domain and the same collision domain. Depending on the network topology, the hub provides a basic level 1 OSI model connection among the network objects (workstations, servers, etc). It provides bandwidth which is shared among all the objects, compared to switches, which provide a dedicated connection between individual nodes." However we at the SEWP Security Center learned that when technology becomes cheap it proliferates in unexpected ways. We had narrowed the issue down to our hub, which didn't make any sense but it was the only thing left. We disconnected the hub and setup a small desk network to see what if anything was going on. And much to our surprise we couldn't sniff any traffic from the hub at all. Odd, yes, so we proceeded to replace our hub with another Linksys EtherFast® 8-Port 10/100 Auto-Sensing Hub(Model# EFAH08W), except when we went to plug in the power cord the jack was different. At this point we examined both hubs a little more closely. Our first hub had a 7.5v adapter while our second had a 3.3v adapter, strange, sure because they were they same model, but specifications change over time. After continued inspection we noticed something very odd. Our first hub was a Version 3.0 while our second was a Version 2.0. So we got the correct power adapter for our V2 hub and connected it to our desk network. Low and behold it was like fireworks all of our applications were going crazy, we had found our missing packets! What was the difference we wondered? Well you can see for yourself at www.linksys.com It turned out that our Version 3.0 hub wasn't a hub anymore at all, it had become a switch. In Version 3.0 our "hub" was designed with "Internal Store-and-Forward Switching for Effective Traffic Reduction." Interesting, "Store-and-Forward Switching" wouldn't that mean that the hub is technically no longer sharing bandwidth amongst everyone, ergo switch-like characteristics and the reason why our packets magically disappeared. Why advertise and sell a hub that for all intents and purposes is now a switch, we don't know you'll have to ask Linksys.

Steven Posnack
07/15/04
SEWP Security Center Intern
Goddard Space Flight Center