SlideShare a Scribd company logo

apter 9 Switches, Routers, and FirewallsThe Internet... is no.docx

Download as DOCX, PDF
J
justine1simpson78276

apter 9 Switches, Routers, and Firewalls “The Internet... is not a big truck. It’s a series of tubes. And ... those tubes can be filled and if they are filled, when you put your message in, it gets in line and it’s going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.” —Former U.S. Senator Theodore “Ted” Stevens (R–Alaska) 1 The line between switches, routers, and firewalls has become very blurred. It only exists as a theoretical line, which is no longer strictly implemented at all, if it ever really was. What does that mean for the forensic investigator? The evidence you may expect to find on one device may actually exist on another. A device called a “switch” may actually contain logs that you would expect to find on a “firewall.” Regardless of their label, network infrastructure devices contain configurations that reflect the state of the network and activities and, with any luck, the policies of the enterprise that’s deployed them. As a result, they often contain evidence that may be of use in an investigation, including descriptive information about the investigative environment, and perhaps evidence relating to a particular event of interest. In this chapter, we discuss traditional switches, routers, and firewalls, as they pertain to network forensic investigations. We review the types of storage media commonly found in network infrastructure devices, evidence found on different types of devices, common interfaces, and logging setups. Keep in mind, however, that when you are examining a piece of equipment called a “switch” or a “router,” these devices may include functionality normally associated with other types of devices (for that matter, the same holds true for “hubs,” which are nearly always actually switches these days). It is always a good idea to research the specific make and model of the equipment under investigation before beginning your forensic examination. Don’t worry so much about the label. Whether Cisco says a device is a hub or a switch, the investigator’s job is to understand the feature set and the configuration of the device, whatever it may be called. 1. T. Stevens, in a speech before the U.S. Senate on “network neutrality,” June 2006, http://media.publicknowledge.org/stevens-on-nn.mp3. 9.1 Storage Media The types of storage used on switches, routers, and firewalls vary between manufacturers and models. It is important for forensic investigators to be familiar with common types of storage used in network equipment in order to properly prioritize evidence collection. Understanding the volatility of data on different storage mediums is paramount, and as a general rule evidence should be collected and preserved in order of volatility (beginning with the most volatile first). Common types of storage in switches, routers, and firewalls include (in approximate order of volatility): • Dynamic Random-Access Memory (DRAM) DRAM is very volatile and does no.

Education
1 of 5
apter 9 Switches, Routers, and Firewalls “The Internet... is not a big truck. It’s a series of tubes. And ... those tubes can be filled and if they are filled, when you put your message in, it gets in line and it’s going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.” —Former U.S. Senator Theodore “Ted” Stevens (R–Alaska) 1 The line between switches, routers, and firewalls has become very blurred. It only exists as a theoretical line, which is no longer strictly implemented at all, if it ever really was. What does that mean for the forensic investigator? The evidence you may expect to find on one device may actually exist on another. A device called a “switch” may actually contain logs that you would expect to find on a “firewall.” Regardless of their label, network infrastructure devices contain configurations that reflect the state of the network and activities and, with any luck, the policies of the enterprise that’s deployed them. As a result, they often contain evidence that may be of use in an investigation, including descriptive information about the investigative environment, and perhaps evidence relating to a particular event of interest. In this chapter, we discuss traditional switches, routers, and firewalls, as they pertain to network forensic investigations. We review the types of storage media commonly found in network infrastructure devices, evidence found on different types of devices, common interfaces, and logging setups. Keep in mind, however, that when you are examining a piece of equipment called a “switch” or a “router,” these devices may include functionality normally associated with other types of devices (for that matter, the same holds true for “hubs,” which are nearly always actually switches these days). It is always a good
idea to research the specific make and model of the equipment under investigation before beginning your forensic examination. Don’t worry so much about the label. Whether Cisco says a device is a hub or a switch, the investigator’s job is to understand the feature set and the configuration of the device, whatever it may be called. 1. T. Stevens, in a speech before the U.S. Senate on “network neutrality,” June 2006, http://media.publicknowledge.org/stevens-on-nn.mp3. 9.1 Storage Media The types of storage used on switches, routers, and firewalls vary between manufacturers and models. It is important for forensic investigators to be familiar with common types of storage used in network equipment in order to properly prioritize evidence collection. Understanding the volatility of data on different storage mediums is paramount, and as a general rule evidence should be collected and preserved in order of volatility (beginning with the most volatile first). Common types of storage in switches, routers, and firewalls include (in approximate order of volatility): • Dynamic Random-Access Memory (DRAM) DRAM is very volatile and does not retain data (for long) when power is turned off. It is commonly used to store running operating system configuration, process memory, routing tables, firewall statistics, and more. • Content-Addressable Memory (CAM) CAM is a special kind of very fast memory used to store information that must be accessed extremely quickly. It is most famously used on switches for storing tables that map MAC addresses to ports (hence the name “CAM tables”). CAM is very volatile and does
not retain data when power is turned off. • Nonvolatile Random-Access Memory (NVRAM) NVRAM retains data when the power is turned off, but can also be easily modified. The most common type of NVRAM found in network equipment is “flash memory.” In routers, this often contains a copy of the operating system used at boot, as well as startup configuration files. • Hard drive Most switches, routers, and firewalls do not include a hard drive. However, general-purpose servers can be configured to act as routers or firewalls (i.e., a Linux system running iptables). In these cases, the hard drive typically contains the operating system, startup configuration, firewall logs, and an extensive amount of other data. The data on a hard drive remains after the power is turned off. • Read-Only Memory (ROM) ROM is a type of random-access memory that is designed to permanently store data without modification (hence the name). ROM is not designed to be routinely modified, although nowadays types of memory commonly referred to as “ROM” can be reprogrammed in order to update firmware. For example, on unmanaged switches, the operating system is typically stored in ROM. For more capable and flexible managed switches and routers, the ROM typically contains a boot loader, which loads the operating system and configuration from NVRAM. On fully configurable Linux systems that are used as routers or firewalls, the ROM normally contains the boot loader. 9.2 Switches Switches are Layer 2/3 devices that connect multiple computers together to form a network. Unlike hubs, switches isolate traffic on different switch ports, so that each switch port is a separate collision domain. This prevents Layer 1 interference between stations on different switch ports and improves performance. 9.2.1 Why Investigate Switches?
Switches are typically involved in investigations for one of a few reasons: • If you are trying to sniff traffic on a local segment, one of the easiest ways is to set up port mirroring on the switch. See Chapter 3, “Evidence Acquisition,” for details. • Switches contain tables that map client network card addresses (MAC addresses) to physical ports on a switch. This can help you to physically track down a computer. • Attackers may launch attacks designed to “confuse” the switch in order to bypass network security restrictions or launch man- in-the-middle attacks. Forensic analysis of the switch may help to identify and isolate attacks of this type. 9.2.2 Content-Addressable Memory Table Ethernet switches typically contain a special type of very fast memory called CAM. This memory holds a table, referred to as the “CAM table,” that dynamically maps MAC addresses to corresponding physical ports on the switch. When a frame comes into a port, the switch looks up the destination MAC address in the CAM table to see which port it is attached to. Then, it writes a copy of the frame to the port associated with the destination MAC address. For forensic investigators, the CAM table of an Ethernet switch can be very valuable, since it contains the MAC addresses of the network cards communicating on the local subnet. This table is very volatile and can change quickly, depending on network activity. When an attacker is trying to sniff local network traffic, the CAM table often contains clear evidence of suspicious activity. Below is the CAM table from a Cisco ASA 5505 Version 8.3 with the hostname “ant-fw.” Be careful—the CAM table reports “Age” as the number of seconds an entry has left before it
expires rather than the number of seconds that have transpired. MAC records expire after five minutes, or 300 seconds.

Recommended

Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System SecurityAmber Wheeler
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorGaetano Zappulla
 
Modules1
Modules1Modules1
Modules1websec69
 
Storage
StorageStorage
StorageRuben Omar Ruiz Madrigal
 
Experiment 7 traffic analysis
Experiment 7 traffic analysisExperiment 7 traffic analysis
Experiment 7 traffic analysisnikitaa25
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Firewall
FirewallFirewall
FirewallPankaj Kumawat
 
Firewall
FirewallFirewall
FirewallAhmed Elnaggar
 

Recommended

Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System SecurityAmber Wheeler
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorGaetano Zappulla
 
Modules1
Modules1Modules1
Modules1websec69
 
Storage
StorageStorage
StorageRuben Omar Ruiz Madrigal
 
Experiment 7 traffic analysis
Experiment 7 traffic analysisExperiment 7 traffic analysis
Experiment 7 traffic analysisnikitaa25
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Firewall
FirewallFirewall
FirewallPankaj Kumawat
 
Firewall
FirewallFirewall
FirewallAhmed Elnaggar
 
Topic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxTopic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxjuliennehar
 
10.1.1.48.4087
10.1.1.48.408710.1.1.48.4087
10.1.1.48.4087Aram Khalili
 
Firewalls
FirewallsFirewalls
FirewallsShreya Singireddy
 
Fundamental of Information Technology
Fundamental of Information TechnologyFundamental of Information Technology
Fundamental of Information TechnologySundar B N
 
ZERO WIRE LOAD MODEL.pptx
ZERO WIRE LOAD MODEL.pptxZERO WIRE LOAD MODEL.pptx
ZERO WIRE LOAD MODEL.pptxVishalYadav29718
 
Covert Channels
Covert ChannelsCovert Channels
Covert ChannelsAnton Chuvakin
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Securitych1
Securitych1Securitych1
Securitych1Bhawani Rathore
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfParasPatel967737
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfKalsoomTahir2
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfParvezAhmed59842
 
ENTERPRISE NETWORKING
ENTERPRISE NETWORKINGENTERPRISE NETWORKING
ENTERPRISE NETWORKINGbwire sedrick
 
Firewall
Firewall Firewall
Firewall Devashree Kumari
 
Introduction to networks
Introduction to networksIntroduction to networks
Introduction to networksSagar Gor
 
Firewall
FirewallFirewall
FirewallNetwax Lab
 
The difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaThe difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaHarikiran Raju
 
Container Mythbusters
Container MythbustersContainer Mythbusters
Container Mythbustersinside-BigData.com
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18warren142
 
Chapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityChapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityPhu Nguyen
 
You will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docxYou will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docxjustine1simpson78276
 
you will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docxyou will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docxjustine1simpson78276
 

More Related Content

Similar to apter 9 Switches, Routers, and FirewallsThe Internet... is no.docx

Topic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxTopic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxjuliennehar
 
Fundamental of Information Technology
Fundamental of Information TechnologyFundamental of Information Technology
Fundamental of Information TechnologySundar B N
 
ENTERPRISE NETWORKING
ENTERPRISE NETWORKINGENTERPRISE NETWORKING
ENTERPRISE NETWORKINGbwire sedrick
 
Introduction to networks
Introduction to networksIntroduction to networks
Introduction to networksSagar Gor
 
The difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaThe difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaHarikiran Raju
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Chapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityChapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityPhu Nguyen
 

Similar to apter 9 Switches, Routers, and FirewallsThe Internet... is no.docx (20)

Topic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxTopic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docx
 
10.1.1.48.4087
10.1.1.48.408710.1.1.48.4087
10.1.1.48.4087
 
Firewalls
FirewallsFirewalls
Firewalls
 
Fundamental of Information Technology
Fundamental of Information TechnologyFundamental of Information Technology
Fundamental of Information Technology
 
ZERO WIRE LOAD MODEL.pptx
ZERO WIRE LOAD MODEL.pptxZERO WIRE LOAD MODEL.pptx
ZERO WIRE LOAD MODEL.pptx
 
Covert Channels
Covert ChannelsCovert Channels
Covert Channels
 
Firewall
FirewallFirewall
Firewall
 
Securitych1
Securitych1Securitych1
Securitych1
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ENTERPRISE NETWORKING
ENTERPRISE NETWORKINGENTERPRISE NETWORKING
ENTERPRISE NETWORKING
 
Firewall
Firewall Firewall
Firewall
 
Introduction to networks
Introduction to networksIntroduction to networks
Introduction to networks
 
Firewall
FirewallFirewall
Firewall
 
The difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopediaThe difference between a hub, switch and router webopedia
The difference between a hub, switch and router webopedia
 
Container Mythbusters
Container MythbustersContainer Mythbusters
Container Mythbusters
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
 
Chapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityChapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validity
 

More from justine1simpson78276

You will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docxYou will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docxjustine1simpson78276
 
you will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docxyou will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docxjustine1simpson78276
 
You will submit a 1500 word fully-referenced critical essay .docx
You will submit a 1500 word fully-referenced critical essay .docxYou will submit a 1500 word fully-referenced critical essay .docx
You will submit a 1500 word fully-referenced critical essay .docxjustine1simpson78276
 
you will submit a 150-200 word reading summary The story of real.docx
you will submit a 150-200 word reading summary The story of real.docxyou will submit a 150-200 word reading summary The story of real.docx
you will submit a 150-200 word reading summary The story of real.docxjustine1simpson78276
 
You will select an enterprise-level risks that impact an organizatio.docx
You will select an enterprise-level risks that impact an organizatio.docxYou will select an enterprise-level risks that impact an organizatio.docx
You will select an enterprise-level risks that impact an organizatio.docxjustine1simpson78276
 
You will select a psychologist (Skinner or Freud ) and conduct a bri.docx
You will select a psychologist (Skinner or Freud ) and conduct a bri.docxYou will select a psychologist (Skinner or Freud ) and conduct a bri.docx
You will select a psychologist (Skinner or Freud ) and conduct a bri.docxjustine1simpson78276
 
You will select a hot button issue from current or relatively re.docx
You will select a hot button issue from current or relatively re.docxYou will select a hot button issue from current or relatively re.docx
You will select a hot button issue from current or relatively re.docxjustine1simpson78276
 
you will research resources available on the Internet for monitoring.docx
you will research resources available on the Internet for monitoring.docxyou will research resources available on the Internet for monitoring.docx
you will research resources available on the Internet for monitoring.docxjustine1simpson78276
 
You will review qualitative research.  The topic is up to you as lon.docx
You will review qualitative research.  The topic is up to you as lon.docxYou will review qualitative research.  The topic is up to you as lon.docx
You will review qualitative research.  The topic is up to you as lon.docxjustine1simpson78276
 
You will review quantitative research.  The topic is up to you as lo.docx
You will review quantitative research.  The topic is up to you as lo.docxYou will review quantitative research.  The topic is up to you as lo.docx
You will review quantitative research.  The topic is up to you as lo.docxjustine1simpson78276
 
You will research one womens movement that we have not discussed in.docx
You will research one womens movement that we have not discussed in.docxYou will research one womens movement that we have not discussed in.docx
You will research one womens movement that we have not discussed in.docxjustine1simpson78276
 
You will research a Native American or African communitys culture, .docx
You will research a Native American or African communitys culture, .docxYou will research a Native American or African communitys culture, .docx
You will research a Native American or African communitys culture, .docxjustine1simpson78276
 
You will receive 15 points extra credit (added to the homework p.docx
You will receive 15 points extra credit (added to the homework p.docxYou will receive 15 points extra credit (added to the homework p.docx
You will receive 15 points extra credit (added to the homework p.docxjustine1simpson78276
 
You will provide a short analysis of the interaction of group member.docx
You will provide a short analysis of the interaction of group member.docxYou will provide a short analysis of the interaction of group member.docx
You will provide a short analysis of the interaction of group member.docxjustine1simpson78276
 
You will produce and submit a Powerpoint  of screenshots related to .docx
You will produce and submit a Powerpoint  of screenshots related to .docxYou will produce and submit a Powerpoint  of screenshots related to .docx
You will produce and submit a Powerpoint  of screenshots related to .docxjustine1simpson78276
 
You will produce a clear and coherent writing that is well organized.docx
You will produce a clear and coherent writing that is well organized.docxYou will produce a clear and coherent writing that is well organized.docx
You will produce a clear and coherent writing that is well organized.docxjustine1simpson78276
 
You will present ADP and Paychex as the recommendations to the VP .docx
You will present ADP and Paychex as the recommendations to the VP .docxYou will present ADP and Paychex as the recommendations to the VP .docx
You will present ADP and Paychex as the recommendations to the VP .docxjustine1simpson78276
 
You will prepare and present a personality analysis of your choo.docx
You will prepare and present a personality analysis of your choo.docxYou will prepare and present a personality analysis of your choo.docx
You will prepare and present a personality analysis of your choo.docxjustine1simpson78276
 
you will prepare a PowerPoint presentation on the consumer infor.docx
you will prepare a PowerPoint presentation on the consumer infor.docxyou will prepare a PowerPoint presentation on the consumer infor.docx
you will prepare a PowerPoint presentation on the consumer infor.docxjustine1simpson78276
 
You will post a 250-word reply to 2 classmate’s threads. The reply r.docx
You will post a 250-word reply to 2 classmate’s threads. The reply r.docxYou will post a 250-word reply to 2 classmate’s threads. The reply r.docx
You will post a 250-word reply to 2 classmate’s threads. The reply r.docxjustine1simpson78276
 

More from justine1simpson78276 (20)

You will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docxYou will submit a 1-2 page double spaced paper, plus references, des.docx
You will submit a 1-2 page double spaced paper, plus references, des.docx
 
you will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docxyou will submit a 150-200 word reading summary -Reasons for the .docx
you will submit a 150-200 word reading summary -Reasons for the .docx
 
You will submit a 1500 word fully-referenced critical essay .docx
You will submit a 1500 word fully-referenced critical essay .docxYou will submit a 1500 word fully-referenced critical essay .docx
You will submit a 1500 word fully-referenced critical essay .docx
 
you will submit a 150-200 word reading summary The story of real.docx
you will submit a 150-200 word reading summary The story of real.docxyou will submit a 150-200 word reading summary The story of real.docx
you will submit a 150-200 word reading summary The story of real.docx
 
You will select an enterprise-level risks that impact an organizatio.docx
You will select an enterprise-level risks that impact an organizatio.docxYou will select an enterprise-level risks that impact an organizatio.docx
You will select an enterprise-level risks that impact an organizatio.docx
 
You will select a psychologist (Skinner or Freud ) and conduct a bri.docx
You will select a psychologist (Skinner or Freud ) and conduct a bri.docxYou will select a psychologist (Skinner or Freud ) and conduct a bri.docx
You will select a psychologist (Skinner or Freud ) and conduct a bri.docx
 
You will select a hot button issue from current or relatively re.docx
You will select a hot button issue from current or relatively re.docxYou will select a hot button issue from current or relatively re.docx
You will select a hot button issue from current or relatively re.docx
 
you will research resources available on the Internet for monitoring.docx
you will research resources available on the Internet for monitoring.docxyou will research resources available on the Internet for monitoring.docx
you will research resources available on the Internet for monitoring.docx
 
You will review qualitative research.  The topic is up to you as lon.docx
You will review qualitative research.  The topic is up to you as lon.docxYou will review qualitative research.  The topic is up to you as lon.docx
You will review qualitative research.  The topic is up to you as lon.docx
 
You will review quantitative research.  The topic is up to you as lo.docx
You will review quantitative research.  The topic is up to you as lo.docxYou will review quantitative research.  The topic is up to you as lo.docx
You will review quantitative research.  The topic is up to you as lo.docx
 
You will research one womens movement that we have not discussed in.docx
You will research one womens movement that we have not discussed in.docxYou will research one womens movement that we have not discussed in.docx
You will research one womens movement that we have not discussed in.docx
 
You will research a Native American or African communitys culture, .docx
You will research a Native American or African communitys culture, .docxYou will research a Native American or African communitys culture, .docx
You will research a Native American or African communitys culture, .docx
 
You will receive 15 points extra credit (added to the homework p.docx
You will receive 15 points extra credit (added to the homework p.docxYou will receive 15 points extra credit (added to the homework p.docx
You will receive 15 points extra credit (added to the homework p.docx
 
You will provide a short analysis of the interaction of group member.docx
You will provide a short analysis of the interaction of group member.docxYou will provide a short analysis of the interaction of group member.docx
You will provide a short analysis of the interaction of group member.docx
 
You will produce and submit a Powerpoint  of screenshots related to .docx
You will produce and submit a Powerpoint  of screenshots related to .docxYou will produce and submit a Powerpoint  of screenshots related to .docx
You will produce and submit a Powerpoint  of screenshots related to .docx
 
You will produce a clear and coherent writing that is well organized.docx
You will produce a clear and coherent writing that is well organized.docxYou will produce a clear and coherent writing that is well organized.docx
You will produce a clear and coherent writing that is well organized.docx
 
You will present ADP and Paychex as the recommendations to the VP .docx
You will present ADP and Paychex as the recommendations to the VP .docxYou will present ADP and Paychex as the recommendations to the VP .docx
You will present ADP and Paychex as the recommendations to the VP .docx
 
You will prepare and present a personality analysis of your choo.docx
You will prepare and present a personality analysis of your choo.docxYou will prepare and present a personality analysis of your choo.docx
You will prepare and present a personality analysis of your choo.docx
 
you will prepare a PowerPoint presentation on the consumer infor.docx
you will prepare a PowerPoint presentation on the consumer infor.docxyou will prepare a PowerPoint presentation on the consumer infor.docx
you will prepare a PowerPoint presentation on the consumer infor.docx
 
You will post a 250-word reply to 2 classmate’s threads. The reply r.docx
You will post a 250-word reply to 2 classmate’s threads. The reply r.docxYou will post a 250-word reply to 2 classmate’s threads. The reply r.docx
You will post a 250-word reply to 2 classmate’s threads. The reply r.docx
 

Recently uploaded

Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 

Recently uploaded (20)

Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 

apter 9 Switches, Routers, and FirewallsThe Internet... is no.docx

  • 1. apter 9 Switches, Routers, and Firewalls “The Internet... is not a big truck. It’s a series of tubes. And ... those tubes can be filled and if they are filled, when you put your message in, it gets in line and it’s going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.” —Former U.S. Senator Theodore “Ted” Stevens (R–Alaska) 1 The line between switches, routers, and firewalls has become very blurred. It only exists as a theoretical line, which is no longer strictly implemented at all, if it ever really was. What does that mean for the forensic investigator? The evidence you may expect to find on one device may actually exist on another. A device called a “switch” may actually contain logs that you would expect to find on a “firewall.” Regardless of their label, network infrastructure devices contain configurations that reflect the state of the network and activities and, with any luck, the policies of the enterprise that’s deployed them. As a result, they often contain evidence that may be of use in an investigation, including descriptive information about the investigative environment, and perhaps evidence relating to a particular event of interest. In this chapter, we discuss traditional switches, routers, and firewalls, as they pertain to network forensic investigations. We review the types of storage media commonly found in network infrastructure devices, evidence found on different types of devices, common interfaces, and logging setups. Keep in mind, however, that when you are examining a piece of equipment called a “switch” or a “router,” these devices may include functionality normally associated with other types of devices (for that matter, the same holds true for “hubs,” which are nearly always actually switches these days). It is always a good
  • 2. idea to research the specific make and model of the equipment under investigation before beginning your forensic examination. Don’t worry so much about the label. Whether Cisco says a device is a hub or a switch, the investigator’s job is to understand the feature set and the configuration of the device, whatever it may be called. 1. T. Stevens, in a speech before the U.S. Senate on “network neutrality,” June 2006, http://media.publicknowledge.org/stevens-on-nn.mp3. 9.1 Storage Media The types of storage used on switches, routers, and firewalls vary between manufacturers and models. It is important for forensic investigators to be familiar with common types of storage used in network equipment in order to properly prioritize evidence collection. Understanding the volatility of data on different storage mediums is paramount, and as a general rule evidence should be collected and preserved in order of volatility (beginning with the most volatile first). Common types of storage in switches, routers, and firewalls include (in approximate order of volatility): • Dynamic Random-Access Memory (DRAM) DRAM is very volatile and does not retain data (for long) when power is turned off. It is commonly used to store running operating system configuration, process memory, routing tables, firewall statistics, and more. • Content-Addressable Memory (CAM) CAM is a special kind of very fast memory used to store information that must be accessed extremely quickly. It is most famously used on switches for storing tables that map MAC addresses to ports (hence the name “CAM tables”). CAM is very volatile and does
  • 3. not retain data when power is turned off. • Nonvolatile Random-Access Memory (NVRAM) NVRAM retains data when the power is turned off, but can also be easily modified. The most common type of NVRAM found in network equipment is “flash memory.” In routers, this often contains a copy of the operating system used at boot, as well as startup configuration files. • Hard drive Most switches, routers, and firewalls do not include a hard drive. However, general-purpose servers can be configured to act as routers or firewalls (i.e., a Linux system running iptables). In these cases, the hard drive typically contains the operating system, startup configuration, firewall logs, and an extensive amount of other data. The data on a hard drive remains after the power is turned off. • Read-Only Memory (ROM) ROM is a type of random-access memory that is designed to permanently store data without modification (hence the name). ROM is not designed to be routinely modified, although nowadays types of memory commonly referred to as “ROM” can be reprogrammed in order to update firmware. For example, on unmanaged switches, the operating system is typically stored in ROM. For more capable and flexible managed switches and routers, the ROM typically contains a boot loader, which loads the operating system and configuration from NVRAM. On fully configurable Linux systems that are used as routers or firewalls, the ROM normally contains the boot loader. 9.2 Switches Switches are Layer 2/3 devices that connect multiple computers together to form a network. Unlike hubs, switches isolate traffic on different switch ports, so that each switch port is a separate collision domain. This prevents Layer 1 interference between stations on different switch ports and improves performance. 9.2.1 Why Investigate Switches?
  • 4. Switches are typically involved in investigations for one of a few reasons: • If you are trying to sniff traffic on a local segment, one of the easiest ways is to set up port mirroring on the switch. See Chapter 3, “Evidence Acquisition,” for details. • Switches contain tables that map client network card addresses (MAC addresses) to physical ports on a switch. This can help you to physically track down a computer. • Attackers may launch attacks designed to “confuse” the switch in order to bypass network security restrictions or launch man- in-the-middle attacks. Forensic analysis of the switch may help to identify and isolate attacks of this type. 9.2.2 Content-Addressable Memory Table Ethernet switches typically contain a special type of very fast memory called CAM. This memory holds a table, referred to as the “CAM table,” that dynamically maps MAC addresses to corresponding physical ports on the switch. When a frame comes into a port, the switch looks up the destination MAC address in the CAM table to see which port it is attached to. Then, it writes a copy of the frame to the port associated with the destination MAC address. For forensic investigators, the CAM table of an Ethernet switch can be very valuable, since it contains the MAC addresses of the network cards communicating on the local subnet. This table is very volatile and can change quickly, depending on network activity. When an attacker is trying to sniff local network traffic, the CAM table often contains clear evidence of suspicious activity. Below is the CAM table from a Cisco ASA 5505 Version 8.3 with the hostname “ant-fw.” Be careful—the CAM table reports “Age” as the number of seconds an entry has left before it
  • 5. expires rather than the number of seconds that have transpired. MAC records expire after five minutes, or 300 seconds.