Re: switched n/w

[Russell Gregg <rusty.gregg () aholdusa com>]

In-Reply-To: <1102444223.2139.19.camel@Kaushal>


> Hi,
>   Iam a bit new to network securities.We have a switched network and to
> my knowledge a hosts' data cannot be sniffed by other host by runnning
> tcpdump.But Iam receiving complaints from few users that their data is
> being changed/manipulated.Is this possible?
> How can I avoid this at the host level?Does this mean the server has
> been compromised?Any help or pointer in this aspect would be highly
> appreciated.
>
> thanks in advance.
>
> kaushal.

Kaushal,

I would say a layered approach is needed in a switched environment.  

It's true that if everyone plays nice, no one can see someone else’s traffic.  I would then ask myself a question, "Am 
I sure everyone is playing nice?"  If you have any doubts, I would implement IPSec or another VPN for the important 
servers at least.  Next, I would verify least privilege for each resource on the server. Next, be sure to turn up 
auditing for connections and resource accesses (writing seems appropriate here).  If the file(s) you are talking about 
are statically named or under a known path, I would look into an integrity checking tool that runs passively on the 
server.  If you're looking to identify the offender (the pursue versus recover), then Snort with a trigger for the 
filename or portion of the path might be good.

Hope this helped.

"Be the change you wish to see in the world."