Security Basics mailing list archives
Re: AW: How to stop Admins from sniffing ?
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Fri, 28 Jul 2006 08:32:21 -0600 (MDT)
Hey List I work in a small organisation and the system and network administrators here are constantly monitoring all data in the network. I have seen them running Etherreal on their systems and from their talks i am sure that they know who is doing what. I m using windows XP and i have a personal
I think some folks are forgetting that there are non-security reasons to sniff traffic as a Sys Admin. The foremost reason is troubleshooting. Sometimes, the only way to figure out what is really going on is to see what the client and server are "saying" to each other. I've used that method myself many times to fix problems that had the vendor scratching their head. That said, if the IDS picked up some suspicious behavior or someone is performing a simple network IP usage audit (ping-sweep), than port scans have their usage in determining if you have a false positive or if an IP is in use and by whom.
From a "watch everything perspective" -- it's simply not feasible in most
shops in terms of man hours. Most of us have to let the automated tools, such as Snort, distill the volume of traffic down and alert us to the suspicious issues. Then, we are obligated to check each and every one of those distilled issues out. And it's even easier to prevent people from getting to sites than punishing them afterwards. Do you have Sys Admins abusing Ethereal? Hard to say...you sound like a junior level IT guy without a lot of priveleges. I'm not knocking you, but pointing out how you sound in the email. If you're going to forbidden sites, even if the payload is encrypted via SSL or SSH, you are going to get caught. Those packets do contain information about your source/destination traffic that Ethereal and IDS or PRoxy solutions will spot. What little you described doesn't disturb me. There's simply not enough information. Sincerely, Bryan S. Sampsel LibertyActivist.org --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- AW: How to stop Admins from sniffing ? Christian . Assfalg (Jul 28)
- RE: How to stop Admins from sniffing ? Weir, Jason (Jul 28)
- Re: AW: How to stop Admins from sniffing ? Bryan S. Sampsel (Jul 31)
- <Possible follow-ups>
- AW: How to stop Admins from sniffing ? Christian . Assfalg (Jul 31)
- Re: AW: How to stop Admins from sniffing ? lukepth (Jul 31)