Security Basics mailing list archives
Re: switched n/w
From: Russell Gregg <rusty.gregg () aholdusa com>
Date: 8 Dec 2004 14:23:46 -0000
In-Reply-To: <1102444223.2139.19.camel@Kaushal>
Hi, Iam a bit new to network securities.We have a switched network and to my knowledge a hosts' data cannot be sniffed by other host by runnning tcpdump.But Iam receiving complaints from few users that their data is being changed/manipulated.Is this possible? How can I avoid this at the host level?Does this mean the server has been compromised?Any help or pointer in this aspect would be highly appreciated. thanks in advance. kaushal.
Kaushal, I would say a layered approach is needed in a switched environment. It's true that if everyone plays nice, no one can see someone elses traffic. I would then ask myself a question, "Am I sure everyone is playing nice?" If you have any doubts, I would implement IPSec or another VPN for the important servers at least. Next, I would verify least privilege for each resource on the server. Next, be sure to turn up auditing for connections and resource accesses (writing seems appropriate here). If the file(s) you are talking about are statically named or under a known path, I would look into an integrity checking tool that runs passively on the server. If you're looking to identify the offender (the pursue versus recover), then Snort with a trigger for the filename or portion of the path might be good. Hope this helped. "Be the change you wish to see in the world."
Current thread:
- Re: switched n/w, (continued)
- Re: switched n/w Grim (Dec 08)
- Re: switched n/w Jacob Weeks (Dec 08)
- Re: switched n/w q q (Dec 09)
- Re: switched n/w easternerd (Dec 10)
- Re: switched n/w q q (Dec 09)
- Re: switched n/w xyberpix (Dec 09)
- RE: switched n/w Jeff Gercken (Dec 08)
- Re: switched n/w Ivan Coric (Dec 08)
- Re: switched n/w miguel . dilaj (Dec 08)
- Re: switched n/w kaushal (Dec 08)
- Re: switched n/w H Carvey (Dec 08)
- Re: switched n/w Russell Gregg (Dec 08)