Technical (Bottom-Up) Methodology 91
meet time or cost concerns, it is not recommended to skip the wireless network
review. This is due to the many potential security holes in current wireless
network technology. Special consideration for network media types does not
end with just wireless networking, but also includes technologies such as
Token Ring, FDDI (Fiber Distributed Data Interface) or other fiber-optic
technologies, and some of the much older technologies such as arcnet.
In addition to the media types run on the target network, it is important
to find out the makeup of the concentrator devices on the client network.
Depending on whether the target network has primarily switches or hubs can
create a large time difference in performing the NVA. This is due to the fact
that using a network sniffer in an environment that has switches will be limited
to that one network segment. The technology of switches is such that each
port on a switch is, in effect, a single network segment. This is good in terms
of bandwidth and security, but more difficult in terms of security assessment.
For example, a 100-megabit switch provides a full 100 megabits for each port
on the switch. If only one device is plugged into that particular port, which
is generally the case, that machine has 100 megabits all to itself. Conversely,
a hub shares the total bandwidth between all of its ports. This means that a
100-megabit, eight-port hub actually divides the 100 megabits between all
eight ports. If you happen to be the only machine currently accessing the
network on the eight-port hub, than you would get the full 100 megabits.
However, if there are eight machines accessing the network on your hub,
your effective bandwidth is one eighth of the 100 possible megabits. The
impact on the assessment process is due to the fact that you could plug a
network sniffer into any one of the ports on the hub and see all of the network
traffic on the eight ports. If you plugged the same network sniffer into a
switch, you would only see the network traffic for the machine plugged into
your same network segment, plus broadcast traffic, which is meant for every-
one on the network to see. This entire switch-versus-hub debate can be taken
a step further when you also have to consider the smart switch, or “layer 3”
switch as it is often called. A smart switch adds one more wrinkle. It really
is not much of a switch anymore — it is really a multi-port router. The potential
issue in terms of the assessment lies in the fact that a layer 3 switch can also
segment itself into logical switches. This process is known as using a virtual
local area network (VLAN). So by plugging your network sniffer into a smart
switch with multiple VLANs, you would only see the network traffic for your
network port and only the broadcast traffic for your VLAN. However, the layer
3 switch does have a feature that can help in performing network sniffing.
This feature, known as a “span port,” (Note: also known as port mirroring)
allows your network sniffer to see all of the network traffic across all of the
network ports into the switch. Of course, how well this works, if at all, depends
on both the configuration and the manufacturer of the network device.
If you thought the site survey was complete after a determination of media
type and concentrator type, think again. Another area for consideration in the
site survey is the number and type of operating systems run on the target
network. While there are some tools that run equally well against an NT
machine or a UNIX machine, not all tools pull dual duty. In addition, there