Lumeta chief scientist checks for network leaks with IP Sonar

Bill Cheswick

It’s 10 o’clock. Do you know where your packets are? Actually, if you run a network of any size, it doesn’t matter what time it is, because you probably don’t know where your packets are — unless of course you’ve checked your network for leaks. Bill Cheswick, chief scientist at Lumeta, says he knows how to find your leaks, and he’s inspired the software that will help you find them.

What Cheswick does seems simple on the face of it. He uses the familiar traceroute function to explore the ends of the network, but his innovation goes beyond just using the traceroute command. Working from an inventory of network nodes, he uses spoofed addresses from both inside and outside the network to see where those queries show up. The key is that if a query from one side of the network ends up on the wrong side, there’s a network leak.

To accomplish this, Lumeta uses a new collection of appliances, called IP Sonar, which are placed in spots both inside and outside the network. The appliances communicate with a server that reports on what they find. To check for leaks, the appliances send traceroute requests to each IP address on the network and then look for responses. Network leaks show up in one of two ways. Either a test from inside the network would report passing through nodes outside the network, or tests from outside would appear inside the network (which shouldn’t happen if the firewall is properly configured).

Cheswick says that there are plenty of circumstances that cause packets to leak from a network. The most common problem is devices that have connections to both the internal network and to the Internet. Although such devices may not normally pass packets between networks, under some circumstances they might. Other reasons can include poorly configured routers or firewalls. “We find a lot of routing loops,” Cheswick says.

The appeal of IP Sonar is that it produces what Cheswick calls a cleaner network. He says that companies can plug holes that could let worms inside. He says they can also find links to the Internet that shouldn’t be there, routers that shouldn’t exist, and computers that should have been removed. “It’s network hygiene,” Cheswick says.

Cheswick notes that companies that combine networks through acquisitions benefit greatly from this approach. The government is also a big user, although the government won’t say exactly what their results are. Cheswick did say that government users have had one comment. “They said the republic was safer because of it,” he says.