Securing network against sniffing

[Andy90]

Arp Bridge/Proxy I think the term is?

[killadaninja]

About as secure as employing micheal jakson as the body guard for your 13 year old son

Implement some auditing software across the whole network. The software at my university doesnt allow hardly anything to be executed. And if you want to execute something you have to ask for permission. However i did write a bat script that i dropt into the startup folder, using a simple elevation trick I managed to bypass this security. I executed nmap, then went and got a technician to come and see what i had done.
I then had to teach the so called technician how to add a line of code to the unallowed sect of the auditing conf. Point is know your software , exactly what, how and why it works. As for wirless like i said before its only secure untill someone finds a way to make it unsecure, You dont want your network being vulnarable to this new attack, So make sure when your network has been infiltrated, pulling out infor is still hard work. So with the right restrictions right security right data encryption and proper monitering of your network your making it as safe as can be FOR NOW.

[purehate]

About as secure as employing micheal jakson as the body guard for your 13 year old son

Implement some auditing software across the whole network. The software at my university doesnt allow hardly anything to be executed. And if you want to execute something you have to ask for permission. However i did write a bat script that i dropt into the startup folder, using a simple elevation trick I managed to bypass this security. I executed nmap, then went and got a technician to come and see what i had done.
I then had to teach the so called technician how to add a line of code to the unallowed sect of the auditing conf. Point is know your software , exactly what, how and why it works. As for wirless like i said before its only secure untill someone finds a way to make it unsecure, You dont want your network being vulnarable to this new attack, So make sure when your network has been infiltrated, pulling out infor is still hard work. So with the right restrictions right security right data encryption and proper monitering of your network your making it as safe as can be FOR NOW.

In the future please edit your posts instead of making a new post 5 mins later.

[killadaninja]

sorry Ph was an accident ll make sure it dont happen again

[snake eyes]

Using Bridge ARP (i hope it's the correct term, I've never heard or used it though) is not feasible as the no. of PCs involved is too much with numerous layer 2 switches in different blocks.
Setting permissions on individual PCs is not possible either. Only a few PCs are in domain and we have only that much licenses of anti-virus software.
These are the few major roadblocks.
I tried using SSH, HTTPS for logging into servers and external websites, but found out that most of these passwords were being sniffed out too. Considering how many times we need to remotely login onto our servers from different locations (subnets) , it gets serious. I've been looking for a foolproof way to ensure that passwords don't get sniffed in the network like it's possible now. Catching the guys who do it is a bit difficult considering no. of users involved and available manpower and resources.

[Dudeman02379]

Using Bridge ARP (i hope it's the correct term, I've never heard or used it though) is not feasible as the no. of PCs involved is too much with numerous layer 2 switches in different blocks.
Setting permissions on individual PCs is not possible either. Only a few PCs are in domain and we have only that much licenses of anti-virus software.
These are the few major roadblocks.
I tried using SSH, HTTPS for logging into servers and external websites, but found out that most of these passwords were being sniffed out too. Considering how many times we need to remotely login onto our servers from different locations (subnets) , it gets serious. I've been looking for a foolproof way to ensure that passwords don't get sniffed in the network like it's possible now. Catching the guys who do it is a bit difficult considering no. of users involved and available manpower and resources.

It would be much easier to manage if all of your computers were members of the domain. Why aren't they? If it is a windows network maybe look into an IPSEC solution for encrypting lan traffic. Also I'm not exactly sure but aren't there IDS systems that would detect LAN sniffing?

[Amlord1]

Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

[streaker69]

Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

If you're talking about someone running one of these applications on a computer owned by said corporation, you wouldn't need a firewall, you'd just enable a group policy that does not allow them to be installed/run on the machine. This is rather easily done.

If you're talking about an intruder on the local LAN using their own machine you could take other measures. For your plan to work, you'd have to have a firewall capable of blocking those on every single machine, so you're talking about a software firewall on the OS. This of course would get cumbersome fast and rather impractical.

In cases like this, physical security would be better. Unused network ports are disabled at the switch and can only be enabled by a request to IT. MAC addresses are whitelisted and unknown MAC's found on the network send alerts to IT. As a policy, no outside machines may be connected to the corporate LAN, guest machines may be connected only inside a DMZ from the normal LAN.

IDS/IPS sensors could be placed at various places on the LAN looking for suspicious traffic. Anything noticed would be alerted to IT. This all goes to a layered security approach, there is no one solution.

[purehate]

Okay. I just thought of this, and it's probably a long shot.

You know how some firewall programs block programs that you want to run on your computer?

Would it be possible to use (or write) a network-wide firewall that would block certain programs (i.e. C&A, Metasploit, Ettercap, etc.) that are commonly and primarily used for the gaining of illegal information? If it's a corporate network, there should be no reason for the use of those on a PC or ESPECIALLY a corporate computer to have it installed, or to be using it. From experience, it's nearly impossible to get around the admin settings... well, that's unless you go and download a bootable slax cd.. which isn't hard at all, as long as you know you arn't downloading a virus.... Still, it could be made more secure...

Feedback please.

No because things like ettercap and C & A are "sniffers" and dont work with ports. The basically redirect arp requests. Metasploit or any other exploit framework for that matter cant be blocked because any shell code can pretty much be use with any port. There is now way to "port" block a exploit. You either need the service running on that port or you dont. The key is never letting a attacker any where near you LAN so that these tools are never used. The weakest link these days in a corporation is web applications so another key thing to do is keep your web servers in a DMZ so even if they are compromised the "evil hackers" still cannot access your LAN. This can all easily be done with hardware fire walls and cisco routers (or whatever you use).

[Amlord1]

No because things like ettercap and C & A are "sniffers" and dont work with ports. The basically redirect arp requests. Metasploit or any other exploit framework for that matter cant be blocked because any shell code can pretty much be use with any port. There is now way to "port" block a exploit. You either need the service running on that port or you dont. The key is never letting a attacker any where near you LAN so that these tools are never used. The weakest link these days in a corporation is web applications so another key thing to do is keep your web servers in a DMZ so even if they are compromised the "evil hackers" still cannot access your LAN. This can all easily be done with hardware fire walls and cisco routers (or whatever you use).

If you're talking about someone running one of these applications on a computer owned by said corporation, you wouldn't need a firewall, you'd just enable a group policy that does not allow them to be installed/run on the machine. This is rather easily done.

If you're talking about an intruder on the local LAN using their own machine you could take other measures. For your plan to work, you'd have to have a firewall capable of blocking those on every single machine, so you're talking about a software firewall on the OS. This of course would get cumbersome fast and rather impractical.

In cases like this, physical security would be better. Unused network ports are disabled at the switch and can only be enabled by a request to IT. MAC addresses are whitelisted and unknown MAC's found on the network send alerts to IT. As a policy, no outside machines may be connected to the corporate LAN, guest machines may be connected only inside a DMZ from the normal LAN.

IDS/IPS sensors could be placed at various places on the LAN looking for suspicious traffic. Anything noticed would be alerted to IT. This all goes to a layered security approach, there is no one solution.

Both make sense. Thanks.