DOTE

Chain And Rate

Saturday, September 17, 2011

Fluke LANMeter

Instrumentation for performing TSCM services on computer networks.

TSCM services on computer networks are highly specialized activities which requires a highly specialized background and extensive training. This specialized service requires the usage of several instruments:

  • Hand-held Oscilloscope
  • Cable Scanner (100+ MHz/Cat-5)
  • "Dry Line" Time Domain Reflectometer w/ Cross-Talk Analysis
  • Network Traffic Analyzer/Protocol Analyzer
  • Computer with Packet Sniffing Software
  • Portable Spectrum Analyser

These instruments are used in addition to Oscilloscopes, Spectrum Analysers, Multi-meters, Search Receivers, NLJD, X-ray, and other regular TSCM equipment.

The Fluke LANMeter® provides an excellent instrument for TSCM teams. The "basic instrument" offers all the functions of a cable scanner, including a high quality dry-line TDR. The traffic analysis features are invaluable for identifying and tracing network abuse, hacker intrusions, and detecting covert eavesdropping devices on the network. The LANMeter® is also invaluable for performing periodic network audits and reviews.

The Fluke DSP-2000/DSP-4000 Cable Analyzer and Fluke 105B Scope Meter are also excellent instrumentation for TSCM inspections, and complement the LANMeter series well.

During a TSCM inspection an Oscilloscope will be typically be the first instrument attached to the network being evaluated, the purpose is to observe the waveforms and signals present. In the event that a spread spectrum eavesdropping device has been installed on the network the oscilloscope will provide rapid detection. The oscilloscope will also provide a quick indication of the voltages present, the amount of RF noise, and limited information about cross-talk. One thing to watch for is the presence of any signal that does not match the template of "what should be on the network". For example why is there a steady 128 kHz, low level PPCM signal riding on the Ethernet wave form.

The second instrument used will typically be the Portable Spectrum Analyser. This instrument is used to take a quick look at the RF spectrum being used by the network. Normally a network will contain a small amount of noise along with the primary signal with a number of harmonics. Watch for the presence of any signal that does not match that typical for the type of network being tested. The Spectrum Analyser will also be used later when performing frequency domain and space domain inspections of the wiring closets.

Once all conductors combinations of the network have been carefully checked for foreign signals (by using an Oscilloscope and Spectrum Analyser) a Network Traffic Analyzer is used to monitor all activity which occurs on each specific segment (or cable drop). The purpose is to identify any anomaly in network traffic which could indicate the usage of eavesdropping software or a security weakness being exploited. A typical example of this would the usage of audio streaming or keystroke logging software which have been a popular method for eavesdropping. (Why is the CEO's Windows NT box streaming audio and video to a computer located outside the company?)

A Network Traffic Analyzer will typically evaluate only the headers of the packets, and should allow the user to perform several basic network functions such as Ping, Trace Route, DNS lookups, and provide lists of found or active network addresses. At this point the TSCM specialist will have obtained a list of all network entities which should then be verified by a physical inventory.

In the event that suspicious activities are detected a Packet Sniffer can then be used to capture and analyze the suspect activities. A Network Traffic Analyzer is typically used to observe headers, and the Packet Sniffer is used only after suspect activity is noted. A Packet Sniffer should be utilized as little as possible as it raises serious security issues, privacy concerns, and will typically provide "too much information" regarding network traffic.

Prior to this point all tests have been non-invasive, fairly undetectable, and should not have alerted the eavesdropper that a TSCM inspection is in progress.

The TSCM specialist will now cause a segmented network outage (typically caused by turning off a router or hub) and will disconnect all associated wiring. This isolates a group of computers and wiring from the rest of the network, and will provide "appropriate cover" for the remainder of the TSCM inspection.

At this point the physical wiring will be checked for any eavesdropping device, or anomaly. A cable scanner will be used to provide a basic wire map, and a TDR will be used to check for cable splices or taps. Once the cable has been "mapped-out" and the length has been determined by using a TDR a near-end/far-end cross talk analysis will be performed to locate inductive or capacitor isolated devices. Products such as the Fluke DSP-2000 or DSP-4000 are ideal for testing the physical wiring, and will also provide highly accurate cross talk analysis.

It may also be beneficial to also perform a Sweep Analysis of the cabling (with a Spectrum Analyzer and Sweep Generator) to identify any frequency response related anomalies.

Be sure to check all conductor combinations, and all references to ground, and structural components for signal paths. When checking UTP wiring be sure to check all four cable pairs, and check the voice cabling at the same time (easy to do when four Smart Remotes are being used), but ensure that all cabling is "dry" (has no signal on it) before performing any tests.

Before bringing the network back online, always connect/re-connect the Traffic Analyzer to watch for any suspicious activity immediately after the network is brought back online. Eavesdropping software will often attempt to re-connect to the host immediately after the network comes back on-line.

Also, perform a visual inspection on all cable and wiring which can be accessed (yes, this will involve climbing a ladder and moving ceiling tiles), and open up all wall-boxes and inspect them with a borescope.