On Thu, 2004-06-10 at 04:37, Chadley Wilson wrote: > Hello friends, > > My network with approx 300 users is routed to the internet through a > proxy and firewall, we have a DNS server and PDC Server. > It is a winXplease network. > > With a linux PC connected - > What tools would you suggest I could use for the following: > > 1) Track an internal PC running a sniffer of some sort, obtain its ip > and mac address, then stop it sniffing and maybe kick it off the > network. > The bad news is this would be very difficult to detect. The good news is if you are using switches sniffing on your network becomes almost impossible. In a switched network you would need access to the switch to configure mirroring of all or selected ports to the port the sniffer is attached to. So do a periodic examination of your switches to make sure they have not been compromised and that port mirroring has not been configured. If you find something that does not make sense then disable that port on the switch and hunt down the device. Also make sure your switches are not vulnerable to arp flooding. (this is a method some older switches can be attacked to get them to send all packets to all ports.) Most newer switches will not have this problem. I would also suggest you maintain a list of systems attached to your network and use something like arpwatch to see when a new device is connected to the network. This will give you a heads up if someone attaches a new device to your network. You may also want to run a network management tool such as Openview, nagios, opennms, big brother, or even cheops. (I don't really consider cheops as a network management tool but it will give you a picture of your network and the devices connected.) Periodic nmap scans of your network will also give you a way to pickup up anything new or different that has been added as well as alert you to any open ports on systems that should not be there. > 2) Be alerted when someone tries to sniff from outside, trace him and > obtain his details or ISP details. > You won't see someone trying to sniff your network from outside, they will probe it. You will want to run some IDS software on your firewall such as snort to try to catch activity like that. Plus look at your firewall log files for unusual activity. The problem here is that probes of your network will use various methods to obscure the fact that you are being probed. The best defense here is to probe your own network regularly from outside and make sure all unused ports/services are shutdown or in stealth mode. Most likely you will need to have certain ports open such as SMTP, HTTP, HTTPS, DNS, and possibly a few others but not many more than that. You can use http://www.grc.com to run a quick scan of your firewall to give you and idea of what is open. Better yet setup your machine at home with nmap and run your own scan of your Internet firewall. That said, probably your biggest issues are going to be making sure you have virus protection on your email server and clients and that your main firewall is secure along with any servers in your DMZ that provide services directly to the Internet. Put tripwire on the servers as part of your IDS protection and run backups, lots of backups! > I am terribly new to security, please teach me! > -- > ****************************************************************** > Chadley Wilson > Soon 2 B RHCE > Linux Rocks > Welcome to my world. > Enjoy the adventures of Linux > *************************************************** > Linux is easy, lazy people critise, curse and fail. -- Scot L. Harris <webid@xxxxxxxxxx>
