AW: How to stop Admins from sniffing ?

[Christian.Assfalg () bc boehringer-ingelheim com]

I agree to and understand the arguments about security issues, network-admin responsibilities and company property.

It just strikes me as odd that he sais that he works in a small company. They usually don't have that large IT 
departments, and those departments usually do a lot more than only network security. Normally, I'd consider them to be 
relatively busy, and the security level for a small firm is not comparable to what you would do with a big firm. I 
don't think an IT professional in a small firm has the free time to do regular portscans from his admin pc to a client 
pc.

If I would set up something like this (and there are good reasons to do so), I'd automate it and use a server that is 
constantly running. But I would not use my workstation - REGULARLY.

As soneone said, if I suspected something, I'd simply call the person, or walk over and ask him, especially in a small 
firm where you most likely know almost everyone.

It's not so much the legal issues, possibilities and responsibilities that bother me, but the way it is done.

@Jeff: Maybe you should just ask that admin why he does this?

-----Ursprüngliche Nachricht-----
Von: Weir, Jason [mailto:jason.weir () nhrs org] 
Gesendet: Freitag, 28. Juli 2006 14:28
An: Assfalg,Christian (APER) BIP-DE-B; security-basics () securityfocus com
Betreff: RE: How to stop Admins from sniffing ?


I guess I have to think more globally.  I was basing my comments on U.S. case law

See the following site

http://www.windowsecurity.com/articles/Being-Big-Brother-Monitoring-employees-network-activity.html

So as you said it does depend on your specific country's laws.

I disagree with you on one other point. I regularly do port scans of my client PCs and my server and network equipment 
as well, it shows me when a rogue web\ftp\telnet\smtp\.... server shows up.

As a network security administrator I take it as my responsibility to know the purpose of every packet that goes across 
the wire.  I cannot do that unless I watch what's going on.  With the abundance of spyware\viruses\trojans\etc that 
infect our client PCs it becomes even more imperative that you watch ALL client traffic.

My question to you would be this.  What activities are you engaging in at work that you would not want your network 
security people to be aware of.  I understand the uneasy feeling that you get when you feel like you are being watched 
but understand that some of this is necessary.  

I give the following advice to my users, if you are using company assets don't do anything that you would not want your 
grandmother to watch you do..

-J

 

-----Original Message-----
From: Christian.Assfalg () bc boehringer-ingelheim com [mailto:Christian.Assfalg () bc boehringer-ingelheim com] 
Sent: Friday, July 28, 2006 4:32 AM
To: Weir, Jason; security-basics () securityfocus com
Subject: AW: How to stop Admins from sniffing ?


Well, they don't.

At least not neccesarily. In Germany, for example, there are a number of laws against monitoring of user activity. You 
can not simply read someones emails for example, unless you have a specific reason for it, and the works council agrees.

Similar things apply to auditing and monitoring and stuff like that. As soon as user behaviour is concerned, the works 
council has to agree. I am no lawyer or data privacy professional so I may be wrong, but that's what I think is the 
situation in Germany, and soon-to-be in the whole European Union. I guess those laws are not so strict in America, but 
I don't think you can simple watch "everything" someone does.

I'd say it depends on the laws of the country you work in, and the agreements you siged with your employer.

Personaly, I don't see why a security professional would want to do a portscan on some client PC, or why someone would 
want to monitor every network package. That should be quite a lot, so it is a lot of work. Haven't they got other 
(better) things to do?

If Jeff would realy want to hide something, then well - that's his problem. But I would not be very comfortable with 
this situation as well. We don't live in the world of "1984", do we?


-----Ursprüngliche Nachricht-----
Von: Weir, Jason [mailto:jason.weir () nhrs org] 
Gesendet: Donnerstag, 27. Juli 2006 18:12
An: security-basics () securityfocus com
Betreff: RE: How to stop Admins from sniffing ?


Jeff,

My first question would be why would you want to stop them..  Any
competent IT security professional will be and should be monitoring
anything and everything that goes across their wire.  In my opinion that
is their job.

If you are trying to hide something that's a different story.  If its
web traffic you can use an hppts connection to one of the many
anonymizer services out there.  Ethereal would only show encrypted
packets to\from the anonymizer site and not reveal the actual site you
are going to.  This would prevent network sniffing of web traffic only.
There are many other ways to see what's going on..

It sounds like you have a privacy issue but if you are using company
equipment and services you have no expectation of privacy and they have
every right to monitor everything you do

Jason Weir
Systems Administrator
New Hampshire Retirement System


-----Original Message-----
From: swap_tek () yahoo co uk [mailto:swap_tek () yahoo co uk] 
Sent: Wednesday, July 26, 2006 1:14 AM
To: security-basics () securityfocus com
Subject: How to stop Admins from sniffing ?


Hey List

I work in a small organisation and the system and network administrators
here are constantly monitoring all data in the network. I have seen them
running Etherreal on their systems and from their talks i am sure that
they know who is doing what. I m using windows XP and i have a personal
firewall installed which pop's up every few minutes saying that there is
a port scan attack going on. And when i looked up that IP address it
belongs to tbe system being used by the administrator. I have tried
talking to my bosses about this but not happened ( maybe the admins
convinced them that they are not doing anything like that or its
happening by bosses permisson).  i know since they are in same network
as me its easy for them to sniff all traffic and everything.

What i want to know from you ppl is that is there is anyway way to stop
this ? is it possible for me to encrypt all traffic going out from my
system ? 

I have never used a Anti-Sniffer but can they help ? any way out ?

Thanks in advance

Jeff



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------