Security 103 - Basic Network Topology (Logical)

Author: Bill Ricardi
Reviewer: uTest

What Is Network Topology?

In layman's terms, network topology ( http://en.wikipedia.org/wiki/Network_topology ) is a map, or a layout of various network components. Topology shows you how clients, servers, routers and switches are interconnected. We talk about 'logical' topology, because how the physical wiring lays is beyond a tester's control. If you don't have physical access, you don't need to know if they're using a hybrid ring - you only need to know how the network acts logically. There are simple network tools that you can use to discover a client's logical topology, or at least make some good educated guesses about it.

Why Should You Care?

You should care because instead of taking a Cisco course to learn everything you need to know about this stuff, you're going to learn the basics now, in just a few pages. This should prepare you for 90 percent of the network-based tests you'll encounter here. I think that Cisco, Foundry, and other detailed network design and router configuration courses are excellent, if you plan to be a network administrator. But they take a while and the cost is high. So I'm not only saving you time and money, but I'm making you money, because you'll qualify for more tests and find more bugs in the long run.

Where Do I Start?

The most useful tool for basic network discovery operations over a WAN (Wide Area Network) is TraceRoute. TraceRoute is a program that sends a series of signals over the Internet, and tries to figure out what hosts that it is passing through along the way to its final destination. For you protocol-minded folks, it uses IP, UDP, and ICMP for the discovery process. This means that if hosts along the way are blocking ICMP, you won't get all of the information that you would have otherwise.

TraceRoute is available on most operating systems. From a Windows Command Prompt, the command is 'tracert'. From any Mac, Unix, or BSD based system, it is 'traceroute'. Check the help for more information, but the basic command is: traceroute (hostname or IP address). For example:

C:\>tracert utest.com

Tracing route to utest.com [67.23.15.117]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.1
2 21 ms 23 ms 22 ms ***.bt.net [***.***.***.***] <--- EDITED
3 21 ms 22 ms 22 ms ***.net.uk [***.***.***.***] <--- EDITED
4 24 ms 21 ms 22 ms ***.***.***.*** <--- EDITED
5 23 ms 23 ms 22 ms ***.***.***.*** <--- EDITED
6 43 ms 48 ms 37 ms tge1-4.fr3.lon.llnw.net [195.66.224.133]
7 114 ms 105 ms 107 ms tge7-2.fr3.lga.llnw.net [69.28.171.125]
8 146 ms 141 ms 150 ms tge1-2.fr4.ord.llnw.net [69.28.171.193]
9 152 ms 153 ms 154 ms tge10-1.fr4.dal.llnw.net [69.28.171.241]
10 153 ms 154 ms 198 ms rackspace.tge11-3.fr4.dal.llnw.net [69.164.4.6]
11 165 ms 165 ms 181 ms core7-edge3-vlan2307.dfw1.rackspace.net [174.143.123.112]
12 177 ms 193 ms 172 ms aggr511a-1-core7.dfw1.rackspace.net [98.129.84.149]
13 163 ms 163 ms 168 ms vmweb.utest.com [67.23.15.117]

As you can see, I edited a couple of entries to protect my privacy. That's how powerful this discovery tool is.

The first line, or 'hop' as we call each step of a traceroute, shows you localhost, your own network adapter. This is your point of origin. The next few hops are usually any hardware firewalls that you might have, and then your Internet Service Provider's routers, switches, and DSLAM's.

After your ISP hands your signal off to other network providers, the traceroute starts to get interesting. If you see an entry that you want to learn more about, there is another tool that you can use to get more information: WhoIs. WhoIs is available on the Unix/BSD command line, or you can use http://whois.domaintools.com/ to look up who claims responsibility for these servers. For example:

whois 195.66.224.133

[Querying whois.ripe.net]
[whois.ripe.net]
This is the RIPE Database query service.
The objects are in RPSL format.
The RIPE Database is subject to Terms and Conditions.
See http://www.ripe.net/db/support/db-terms-conditions.pdf

Note: This output has been filtered.
To receive output for a database update, use the "-B" flag.

Information related to '195.66.224.0 - 195.66.225.255'

inetnum: 195.66.224.0 - 195.66.225.255
netname: LINX-PEER-1
descr: London Internet Exchange (LINX)
descr: Primary Peering LAN in London Docklands

I know that the signal is being passed through LINX here in the U.K. on its way to the uTest facilities. WhoIs will give me ownership details on any hop that I wish to research, assuming that the IP space is registered properly. As the traceroute gets closer to the target server, you will see details about their ISP, their firewalls, and their switches on the way to the final destination.

Finally, modern Windows machines (Vista and Windows 7) can use LLTD or Link Layer Topology Discovery ( http://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery ) to get a detailed map of their LAN's topology. Check out the Network Map feature on these OS's for more details.

Interesting, but how does it help me?

Well, if you're experiencing network lag, your traceroute will show you exactly where it is happening. Remember that the latency measurements are BETWEEN the last hop and the next, so the issue could be either router. And WhoIs will tell you who's responsible at each end of the issue. So you'll know whether it is a problem on your end, their end, or something in between. Assuming ICMP isn't being blocked or the routing isn't messed up, of course.

This information can also help you to guess the setup of the client's network as well. Yes, you may have to learn a little bit about routers, firewalls, and the structure of a network DMZ (see http://en.wikipedia.org/wiki/DMZ_%28computing%29 ). If you have permission to do invasive security testing, you can use the entries on TraceRoute also know exactly what hosts to probe with a vulnerability scanner, in order to find out what operating system and services they're running.

Finally, using LLTD or advanced network monitoring tools available for other OS's ( http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html ) you can build a virtual representation of the systems and networks that you're testing. This will help you understand an application's interaction with other servers, both inside and outside of the client's own network.

Knowledge is power, and understanding basic network topology will give you more power to find and comprehend bugs.