apter 9 Switches, Routers, and Firewalls
“The Internet... is not a big truck. It’s a series of tubes. And ... those tubes can be filled and if they are filled, when you put your message in, it gets in line and it’s going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.”
—Former U.S. Senator Theodore “Ted” Stevens (R–Alaska) 1
The line between switches, routers, and firewalls has become very blurred. It only exists as a theoretical line, which is no longer strictly implemented at all, if it ever really was. What does that mean for the forensic investigator? The evidence you may expect to find on one device may actually exist on another. A device called a “switch” may actually contain logs that you would expect to find on a “firewall.”
Regardless of their label, network infrastructure devices contain configurations that reflect the state of the network and activities and, with any luck, the policies of the enterprise that’s deployed them. As a result, they often contain evidence that may be of use in an investigation, including descriptive information about the investigative environment, and perhaps evidence relating to a particular event of interest.
In this chapter, we discuss traditional switches, routers, and firewalls, as they pertain to network forensic investigations. We review the types of storage media commonly found in network infrastructure devices, evidence found on different types of devices, common interfaces, and logging setups. Keep in mind, however, that when you are examining a piece of equipment called a “switch” or a “router,” these devices may include functionality normally associated with other types of devices (for that matter, the same holds true for “hubs,” which are nearly always actually switches these days). It is always a good idea to research the specific make and model of the equipment under investigation before beginning your forensic examination.
Don’t worry so much about the label. Whether Cisco says a device is a hub or a switch, the investigator’s job is to understand the feature set and the configuration of the device, whatever it may be called.
1. T. Stevens, in a speech before the U.S. Senate on “network neutrality,” June 2006, http://media.publicknowledge.org/stevens-on-nn.mp3.
9.1 Storage Media
The types of storage used on switches, routers, and firewalls vary between manufacturers and models. It is important for forensic investigators to be familiar with common types of storage used in network equipment in order to properly prioritize evidence collection. Understanding the volatility of data on different storage mediums is paramount, and as a general rule evidence should be collected and preserved in order of volatility (beginning with the most volatile first).
Common types of storage in switches, routers, and firewalls include (in approximate order of volatility):
• Dynamic Random-Access Memory (DRAM) DRAM is very volatile and does no.
Interactive Powerpoint_How to Master effective communication
apter 9 Switches, Routers, and FirewallsThe Internet... is no.docx
1. apter 9 Switches, Routers, and Firewalls
“The Internet... is not a big truck. It’s a series of tubes. And ...
those tubes can be filled and if they are filled, when you put
your message in, it gets in line and it’s going to be delayed by
anyone that puts into that tube enormous amounts of material,
enormous amounts of material.”
—Former U.S. Senator Theodore “Ted” Stevens (R–Alaska) 1
The line between switches, routers, and firewalls has become
very blurred. It only exists as a theoretical line, which is no
longer strictly implemented at all, if it ever really was. What
does that mean for the forensic investigator? The evidence you
may expect to find on one device may actually exist on another.
A device called a “switch” may actually contain logs that you
would expect to find on a “firewall.”
Regardless of their label, network infrastructure devices contain
configurations that reflect the state of the network and activities
and, with any luck, the policies of the enterprise that’s deployed
them. As a result, they often contain evidence that may be of
use in an investigation, including descriptive information about
the investigative environment, and perhaps evidence relating to
a particular event of interest.
In this chapter, we discuss traditional switches, routers, and
firewalls, as they pertain to network forensic investigations. We
review the types of storage media commonly found in network
infrastructure devices, evidence found on different types of
devices, common interfaces, and logging setups. Keep in mind,
however, that when you are examining a piece of equipment
called a “switch” or a “router,” these devices may include
functionality normally associated with other types of devices
(for that matter, the same holds true for “hubs,” which are
nearly always actually switches these days). It is always a good
2. idea to research the specific make and model of the equipment
under investigation before beginning your forensic examination.
Don’t worry so much about the label. Whether Cisco says a
device is a hub or a switch, the investigator’s job is to
understand the feature set and the configuration of the device,
whatever it may be called.
1. T. Stevens, in a speech before the U.S. Senate on “network
neutrality,” June 2006,
http://media.publicknowledge.org/stevens-on-nn.mp3.
9.1 Storage Media
The types of storage used on switches, routers, and firewalls
vary between manufacturers and models. It is important for
forensic investigators to be familiar with common types of
storage used in network equipment in order to properly
prioritize evidence collection. Understanding the volatility of
data on different storage mediums is paramount, and as a
general rule evidence should be collected and preserved in order
of volatility (beginning with the most volatile first).
Common types of storage in switches, routers, and firewalls
include (in approximate order of volatility):
• Dynamic Random-Access Memory (DRAM) DRAM is very
volatile and does not retain data (for long) when power is turned
off. It is commonly used to store running operating system
configuration, process memory, routing tables, firewall
statistics, and more.
• Content-Addressable Memory (CAM) CAM is a special kind
of very fast memory used to store information that must be
accessed extremely quickly. It is most famously used on
switches for storing tables that map MAC addresses to ports
(hence the name “CAM tables”). CAM is very volatile and does
3. not retain data when power is turned off.
• Nonvolatile Random-Access Memory (NVRAM) NVRAM
retains data when the power is turned off, but can also be easily
modified. The most common type of NVRAM found in network
equipment is “flash memory.” In routers, this often contains a
copy of the operating system used at boot, as well as startup
configuration files.
• Hard drive Most switches, routers, and firewalls do not
include a hard drive. However, general-purpose servers can be
configured to act as routers or firewalls (i.e., a Linux system
running iptables). In these cases, the hard drive typically
contains the operating system, startup configuration, firewall
logs, and an extensive amount of other data. The data on a hard
drive remains after the power is turned off.
• Read-Only Memory (ROM) ROM is a type of random-access
memory that is designed to permanently store data without
modification (hence the name). ROM is not designed to be
routinely modified, although nowadays types of memory
commonly referred to as “ROM” can be reprogrammed in order
to update firmware. For example, on unmanaged switches, the
operating system is typically stored in ROM. For more capable
and flexible managed switches and routers, the ROM typically
contains a boot loader, which loads the operating system and
configuration from NVRAM. On fully configurable Linux
systems that are used as routers or firewalls, the ROM normally
contains the boot loader.
9.2 Switches
Switches are Layer 2/3 devices that connect multiple computers
together to form a network. Unlike hubs, switches isolate traffic
on different switch ports, so that each switch port is a separate
collision domain. This prevents Layer 1 interference between
stations on different switch ports and improves performance.
9.2.1 Why Investigate Switches?
4. Switches are typically involved in investigations for one of a
few reasons:
• If you are trying to sniff traffic on a local segment, one of the
easiest ways is to set up port mirroring on the switch. See
Chapter 3, “Evidence Acquisition,” for details.
• Switches contain tables that map client network card addresses
(MAC addresses) to physical ports on a switch. This can help
you to physically track down a computer.
• Attackers may launch attacks designed to “confuse” the switch
in order to bypass network security restrictions or launch man-
in-the-middle attacks. Forensic analysis of the switch may help
to identify and isolate attacks of this type.
9.2.2 Content-Addressable Memory Table
Ethernet switches typically contain a special type of very fast
memory called CAM. This memory holds a table, referred to as
the “CAM table,” that dynamically maps MAC addresses to
corresponding physical ports on the switch. When a frame
comes into a port, the switch looks up the destination MAC
address in the CAM table to see which port it is attached to.
Then, it writes a copy of the frame to the port associated with
the destination MAC address.
For forensic investigators, the CAM table of an Ethernet switch
can be very valuable, since it contains the MAC addresses of
the network cards communicating on the local subnet. This table
is very volatile and can change quickly, depending on network
activity.
When an attacker is trying to sniff local network traffic, the
CAM table often contains clear evidence of suspicious activity.
Below is the CAM table from a Cisco ASA 5505 Version 8.3
with the hostname “ant-fw.” Be careful—the CAM table reports
“Age” as the number of seconds an entry has left before it
5. expires rather than the number of seconds that have transpired.
MAC records expire after five minutes, or 300 seconds.