Network security

Scot L. Harris webid at
Thu Jun 10 15:37:17 UTC 2004

On Thu, 2004-06-10 at 04:37, Chadley Wilson wrote:
> Hello friends,
> My network with approx 300 users is routed to the internet through a
> proxy and firewall, we have a DNS server and PDC Server.
> It is a winXplease network.
> With a linux PC connected -
> What tools would you suggest I could use for the following:
> 1) Track an internal PC running a sniffer of some sort, obtain its ip
> and mac address, then stop it sniffing and maybe kick it off the
> network.

The bad news is this would be very difficult to detect.  The good news
is if you are using switches sniffing on your network becomes almost
impossible.  In a switched network you would need access to the switch
to configure mirroring of all or selected ports to the port the sniffer
is attached to.  So do a periodic examination of your switches to make
sure they have not been compromised and that port mirroring has not been
configured.  If you find something that does not make sense then disable
that port on the switch and hunt down the device.  

Also make sure your switches are not vulnerable to arp flooding.  (this
is a method some older switches can be attacked to get them to send all
packets to all ports.)   Most newer switches will not have this problem.

I would also suggest you maintain a list of systems attached to your
network and use something like arpwatch to see when a new device is
connected to the network.  This will give you a heads up if someone
attaches a new device to your network.  

You may also want to run a network management tool such as Openview,
nagios, opennms, big brother, or even cheops.   (I don't really consider
cheops as a network management tool but it will give you a picture of
your network and the devices connected.)  Periodic nmap scans of your
network will also give you a way to pickup up anything new or different
that has been added as well as alert you to any open ports on systems
that should not be there.
> 2) Be alerted when someone tries to sniff from outside, trace him and
> obtain his details or ISP details.

You won't see someone trying to sniff your network from outside, they
will probe it.  You will want to run some IDS software on your firewall
such as snort to try to catch activity like that.  Plus look at your
firewall log files for unusual activity.  The problem here is that
probes of your network will use various methods to obscure the fact that
you are being probed.  

The best defense here is to probe your own network regularly from
outside and make sure all unused ports/services are shutdown or in
stealth mode.  Most likely you will need to have certain ports open such
as SMTP, HTTP, HTTPS, DNS, and possibly a few others but not many more
than that.  You can use to run a quick scan of your
firewall to give you and idea of what is open.  Better yet setup your
machine at home with nmap and run your own scan of your Internet

That said, probably your biggest issues are going to be making sure you
have virus protection on your email server and clients and that your
main firewall is secure along with any servers in your DMZ that provide
services directly to the Internet.  Put tripwire on the servers as part
of your IDS protection and run backups, lots of backups!

> I am terribly new to security, please teach me!
> -- 
> ******************************************************************
> Chadley Wilson
> Soon 2 B RHCE
> Linux Rocks
> Welcome to my world.
> Enjoy the adventures of Linux 
> ***************************************************
> Linux is easy, lazy people critise, curse and fail.
Scot L. Harris <webid at>

More information about the fedora-list mailing list