Slashdot Mirror
Unintrusive Traffic Content Monitoring?
fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for
companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?
"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.
Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"
Set up a proxy server and force all outbound traffic over it. Tell the users it's to filter for Outlook viruses or some (.V)BS. Shut down all but a few ports, then run a packet sniffer to watch the ports you open. The proxy server has to be able to handle all the traffic, so if you have a LAN/WAN setup, you can use the proxy as a gateway between LAN servers and WAN/external traffic (so it won't slow down the outside users' access to your webpage).
We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.
-jpowers
-jpowers
As the case of Dr. Wen Ho Lee showed, this is impossible - even for (supposedly) ultra high security installations like the U.S. nuclear research labs.
All you have to do is download to a tape or floppy and walk out with the info. If the person doing this is actually a criminal or spy (as opposed to Dr. Lee - who called tech support to help him figure out how to do this), it is pretty trivial for them to prevent this from being detected.
Yes, there are dozens of basic security procedures that can catch the idiots, but you will never catch anybody who knows anything about computers.
But remember, the issue is that IT must do proper diligence to ensuring that data does not leak, in order to meet with financial regulations.
You only need to go as far as necessary to meet regs.
As an IT person, I may look at people's surfing habits, but only out of idle curiosity.
Perhaps if I noticed they surfed what I thought was an awful lot, I might poke my nose into what they were surfing.. and then poke my nose into whether their boss is happy with their performance or not.
Why? I firmly believe that the bottom line is, the employee has been hired to do a job. If he is doing that job to the satisfaction of those responsible for his position in the first place, I don't *care* how much he surfs.
You hit it on the head when you said 'provide data supervisors needs to see'... if they need to see it. If they have issues with their employees not working out, they can come and ask.
You missed the point.
The point wasn't that you could reclaim your damages.. the point was that employees who are run through proper security audits, and forced to sign proper documents indicating the penalties for disclosing confidential information will tend to RESPECT THAT, as opposed to simply putting in a 'technical' solution.
And..
Don't publish your security methods openly.
it's nothing your average school kid couldn't circumvent.
Yes, and that is also basically mentioned in the article text. Anybody is going to be able to get past this system, but the thing is that then they're going to have to take that extra step knowingly, so they can't claim they mailed that sensitive data out unknowingly, because they would have had to take extra steps to make sure it wasn't caught immediately by the filter. Thus, the filter only has to block obvious way of data smuggling, to make the company stand much stronger in court if somebody does smuggle data out, because the employee can't possibly claim he did it by accident.
They must be trusted in order to do their jobs properly.
Yes, ofcourse, but there's a rotten apple in every box. Of all the people I know who work at the company I work for, I wouldn't think they'd be thieves, yet still quite regularly stuff is stolen if it's not locked down. Very sad business...
Unfortunately, as a company, no matter how much you trust your employees, it's a given fact that at least one of them will at some point try to screw you. You can either wait around to be screwed, you can try to prevent being screwed (which is generally very invasive, inefficient and expensive) or, as this company is doing, you can try to increase your chances of finding out when somebody tries to screw you and increase your chances of taking successful legal steps against them.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches.
Ah, yes, but even compressing the sensitive data will be that extra willful step. Somebody could theoretically accidentally attach a sensitive file to an email message and send it out. It is however not necessary to compress or encrypt such sensitive data for internal use (I presume), so sending out encrypted or compressed sensitive data, so when you do detect a leak and find the person responsible, he can't claim in court that it was an accident. Yes, even in that case he'd still be responsible, but it could be considered negligence rather than a criminal act.
)O(
Never underestimate the power of stupidity
Never underestimate the power of stupidity
To err is human, to moo bovine
If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that suppport mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks.
:)
Sure you can control what people do with floppy disks: have computers without floppy disk drives. Of course this applies to all other removable media. If you need removable media, then make sure that access is limited to authorized individuals only (via physical security methods).
But, you still can't control what people do with information they see. If I find out that Joe Sixpack has $500,000 in his account, there is NOTHING to stop me from taking that information from the internal, private network, and typing into the external network connected to the Internet.
The only way to be absolutely sure that NO data gets out is not have any external network connections at all. People will at least have to PHYSICALLY walk this stuff out the door.
It all goes back to the old adage: information wants to be free.
My journal has hot
I think you're overlooking what he's saying here. The idea isn't really to prevent data theft as you would agree is pretty hard to do with someone looking over the employees' shoulders all the time. The idea is to make the employees have to go the extra mile, to "take that extra willful step" as fuzzybunny puts it. This makes a lot of sense from a legal standpoint.
Imagine that the "disgruntled employee" starts emailing credit cards to his home address (yes, this would be stupid, but it's just an example). Now if the company catches the employee doing this, he's going to get in trouble, but the employee can always say "oh gee, oops. I must have accidentally sent sensitive information. I'll try to be good next time."
On the other hand if the company routinely sniffs for credit card numbers (or whatever info) and announces this policy to its employees, then the employees know they're going to have to be craftier than email. So when Joe Employee encrypts the credit card numbers and sends them home, and gets caught, he's going to be in a lot more trouble than had he just emailed it and gotten caught.
Most transactions that are legitimate involve large numbers of small batches of outgoing data and larger amounts of incoming data (using realaudio, downloading useful software, reading slashdot). Transactions that are frowned upon (eg. sending out images (our job, as a company, is to make pictures)) involve lots of data going out. So the solution I came up with was to throttle data going out to 3K/s for the entire company (50-60 people). (Mail and incoming http is through a server or proxy so isn't counted in this.) Everyone seems happy now. This isn't something that will work for most people but for those in the situation that the items of value are rather large (many megs) it seems to work well. Of course someone can keep an ftp connection open for many hours but (1) everyone would rapidly notice if someone does this excessively and (2) outside work hours (8am-8pm approx.) all IP traffic from individuals to the oustide world is throttled to 0K/s. There's no point being 100% secure - people can hook up an external drive to their PC or even photograph images on their screen using a digital camera.
--
-- SIGFPE
I think you should be less concerned with the actual process and just be careful that the results are appropriately interpreted.
Your fundamental goal -- allowing anonymous, untracked internet usage, while simultaneously being *absolutely sure* that unauthorized data isn't getting out -- is impossible.
/. if you're interested. Good luck catching THAT with a sniffer. :-)
The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.
You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.
It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.
Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on
What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.
If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.
If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.
I find it disappointing that you're more worried about "conforming to the law" than about actually securing this information.
--
It's a
-- Danny Vermin
First of all, this is a German company we're talking about. Germans aren't as sue-happy as American.
Second of all, German banks are required to take due precaution against leaking of sensitive data, so sensitive data can't be sent out accidentally, and so that people guilty of leaking data can't claim in court that it was an accident.
It's stunning how many people don't actually read or interpret the article text. They don't want to block all possible ways of leaking information, because that's impossible, they just want to block the most obvious ways of leaking information. They don't want a legal solution, they want a technical one.
In all the posts in this thread that were moderated up, there were only two or three that are actually relevant to the article text, all the others, including the parent of this message, are based on misinterpretations of the article text and thus useless.
)O(
Never underestimate the power of stupidity
Never underestimate the power of stupidity
To err is human, to moo bovine
Put a use of confidential information clause in their contract, and threaten to sue them to hell should they ever breach it.
Now, you may not like this. It's not pretty. But that's the way to do it. If you try to patch the system with a technical solution, they'll never respect it, because hackers figure if they can find a hole, it's their god-given right to exploit it. But trust me, every script kiddie gives up his tactics when he's slapped with a FBI (RCMP in Canada) search warrant and threats of legal action. Ditto with employees.
This way, you won't even have to bother with configuring your system. Just sue one guy as an example to others, that works well also. It may not be really cool; but trust me, it's effective.
I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.
It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.
I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.
What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.
The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.
So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?
All replies are appreciated.
Cole's Law: Thinly sliced cabbage
Ok, two points - First, I think you are misunderstanding what I mean when I say that employees must be trusted. What I mean is that in order to perform job X and employee must have access to sensitive data Y. In such a case a defacto trust relationship is established. Yes, of course, you want to limit the employee's ability to violate that trust as much as possible, but it still must exist for them to do their job.
Secondly, a company shouldn't need to create a "extra step" to protect itself (a specific filter, etc, as you suggest) in order to strengthen it's case in court if it has taken the proper precautions in enumerating the sensitivity of the data, as well as having employees read and sign (in the presence of a witness, who also signs) confidentiality agreements, sensitive data handling procedures, etc. In the end, these documents will be far more valuable to a legal team than an error-prone, scattershot, scanning tool (which might even be used by the defence to draw focus from the actual data theft to privacy issues, etc.). If such a scanning system had any chance of helping against an actual theft, I would not be so down on them. However, anyone actually trying to steal anything for malicious purposes is likely to either a) disguise that data as something else or b) just carry it out of the building on media. Let's not forget that theft was going on long before the internet.
--
Behold the Power of Cheese!
Think about it.
I didn't say 'security through obscurity is good'. That's a blanket statement, and security CANNOY be summed up so simply.
Is security through obscurity good? Well.. when it comes to holes in software... apparently not. MOre eyes = faster discovery of problems, and faster fixes.
However.. if I run a server where ALL the daemons are custom written, and NOBODY has the source, how can you tell me that my site will be 'more secure if I publish the source?'. It sure as hell won't be. Nobody would have a clue where to begin.
One of the first tenets of security is to not divulge how or what your security measures are. If you do, you simply help someone in figuring out how to avoid your measures.
If security through obscurity is so bad.. why doesn't every firewalled network publish a diagram of their internal network, complete with passwords and firewall configurations? I mean, otherwise they're being 'obscure' right?
SHeesh.
If someone is really smart and wants to steal or transfer company records behind your back, he or she will find a way. It can be disguised, routed through unusual channels, encypted, or even sent out in screen shot format as a bunch of JPGs.
If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.
So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
If I were in your position, I would ensure that no outbound traffic travels on non-standard ports that have not first been registered with IT (to prevent DDoS clients from being installed/managed, BackOrifice from being installed, etc. Also, I think that installing an automated scanner for e-mail, prohibiting attachments larger than a certain size, etc. would be prudent. Personally, I would not find it invasive if I was told, as an employee, what type of e-mail would raise a flag with the automatic scanner and esured that my mail would not be read by another human being unless it was potentially dangerous.
Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.
ByteMyCode.com: A Web 2.0 code sharing community.
Ultimately there is no good solution to this sort of problem. Various technologies have been developed (usually in concert with a government) which allow data to be labled, etc. While there are some rudimentary barriers to moving around labled data, it's nothing your average school kid couldn't circumvent.
The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.
Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.
In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.
Oh, and cross your fingers.
--
Behold the Power of Cheese!
ALL other solutions are either impractical or can be circumvented, perhaps by just pencil and paper :)
As mentioned previously, there is theoretically no way of ensuring that someone isn't passing something out, unless they try to send it in plain form. Perhaps what you should be worrying about instead is where the information is headed to. Again, this can be a daunting task, but a simple histogram of all the sites that are sent data packets (all protocols, since as been shown, spoofing is easy), and you then at least the ability to question large where large quantities of data might be headed. Certain 'trusted' sites might be ignored (e.g. slashdot.org), while other sites (e.g. 207.43.24.32) should be more closely examined. If you want to get fancy, you might even be able to employ some statics to find the relationship between someone sending data, and receiving data from these sites.
<p>
All of this said, I beleive to a certain extent using these methods not only are going to be more likely at catching possible offenders, but can also protect people's privacy. You are not explicately examining the data people are sending out, but rather where large amounts of data are headed.
A friend of mine has the perfect solution. I am sure that he would be more than happy to co-locate one of their products with you, at no cost.
Watermarking is pretty easy: create a special template that everyone should base confidential files on. Put some hidden strings within the template.
Of course, you'll need to learn a little bit more about IDSs like Snort and Word templates, but I've done things like this in the past and it does work.
Switches running with security settings; static switch tables.. .run a network with static arp if you want.
Aggressive firewalling
Make sure all mail is logged.
Make sure all web traffic is proxied and filtered, if it even needs to be there at all. And log everything.
As for 'protecting privacy' of individuals.. you can't really have it both ways. IF it's a financial network, and people are expected to confrom to a high level of security, it is completely within the rights (most likely) of your company to audit EVERY communication going in or out of the network.
Simply take away their expectation of privacy.
Oh.. also, insist that all mail be escrow-keyed, and signed, or it can't hit the servers. This leaves you an accountability trail.
IN fact, if it's a really secure installation, why do you even need live internet to people's desks?
I don't know the legal issues surrounding the situation.. but after more thought.
1) Is this a high-security office/network? If so, the take extremely aggressive measures. BE The BOFH, and control everything.
2) If this is simply a requirement.. it's kind of strange. What prevents someone from walking out the door with confidential information? What prevents them from doing it over the phone? Take similar measures to your meatspace security measures as a guideline.
If you don't search your employees on the way out, if you don't monitor their phones.. why sniff theri network?
Um, cut and paste?
--
You mean you didn't know about hidden sid="tradesecrets" where we've been posting all our company's private data?
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
What you are suggesting doing, I classify as passive monitoring. In other words your employee has retrieved the data, he has formatted it as he sees fits and then sent it out onto the network where you are hoping to catch it. This is like trying to shut the doors after the cows get out. Even if you could reliably catch 100% of the inappropriate outbound traffic, your employees could simply write the information on a piece of paper or memorize it or anything like that. You will be very hard pressed to stop this.
What I suggest you do is active monitoring. Log the queries your employees make to your database. Log the information that they extract from your files. If you see an employee is extracting a lot of personal information, ask him what he is doing. If you see an employee is always looking at the same thing, ask him why he needs to be constantly updated on the status of this thing.
Now most of your employees will have true business uses for the information they look up and you should probably be able to develop some sort of pattern of information need and usage for each employee. Then when an employee starts looking at data that he doesn't ordinarily need to you can send a warning to his supervisor to check on his data queries.
This will probably be a much more effective approach. Oh, and BTW, as always be a good sys-admin and don't keep this practice a secret. Tell your employees that you will be monitoring their extracts. Most people don't really care if they are monitored at work, what really pisses them off is when the monitoring is done in secret.
Okay, this is not an ideal solution, but it is a solution.
Internet
---------------------------------------- firewall
Demilitarized Zone
[ Terminal Server (WTS or an X server) ]
---------------------------------------- firewall
Internal LAN [ client PC goes here ]
Internal users use netscape on the terminal server. This prevents you from leaking information without retyping. However it prevents you from pulling in downloads, and sending email with attachments to customers.
For downloads, open up inbound FTP connections to a fileserver in the DMZ. For outbound emails, warn that emails from the LAN are scanned, and do it. If people want to send a private message, they can use the X or ICA netscape client. This way your users opt in to be scanned when they are deliberately leaking information, because thats what the job requires. Using the X client, all they would have to laboriously retype the information.
Depending on the size of the company, you could scan ALL of these messages by hand, since most outbound mail will be personal or brief.
I didnt say it didnt suck. But it does hang together.
If you need to have the tightest control on what leaves your network you need to use application level proxies and block all outgoing traffic from every machine expcept the proxies. You are in for a world of hurt if you are going to try to sniff traffic at the packet level.
I suspect there is no application-level proxy that will suit your needs. You may wish to harness the power of open source to integrate smaller tools to fit your needs. Perhaps starting with the proxies in the firewall toolkit you could build some proxies that have a little language in which you can write rules for blocking traffic. Then you can release it back to the community.
Like one of the other posters said, though, it is very difficult to detect when sensitive information is leaving the network. You usually have to rely on the form of the information (e.g. does it look like a credit card number?) but the form can easily be disguised. Disguises become harder the stricter the format of the data. For example, suppose you only send out bills though mail and the format of the bill is:
Dear (foo), You owe us (amount). Send it soon or die.You can block all mail that doesn't match this format, thereby preventing, jpegs, cc lists, etc from being mailed. Information can still be leaked by choosing pregnant values for (foo) and (amount). You could lookup to make sure (foo) was a valid customer but your leak may add (foo) to the customer list to get around that. Limiting (foo) to less than 10 characters will help. Insuring (amount) contains nothing but digits would help too but it isn't too hard to encode a message with numbers only.
There will always be ways to get around whatever measures you put in place but don't let that fact cause you to not put forth any effort at all. The amount of money you spend protecting against leaks should be weighed against the potential loss if certain information is leaked times the likilihood that it will be.
Unfortunately, you don't have a chance. There is a little known counterpart to the science of cryptography - the ugly stepchild, steganography. Steganography is the branch of computer science concerned with hidden communication - not (as encryption) communicating so that others cannot understand - but hiding the existance of communication. If somebody is bright enough to piggyback a couple of bits of data onto emails or (even better) send small strings of data encoded in URLS as GET requests to an imaginary server outside your network . . . I think you get the point. Against a determined, or at least half-witted, attacker, you are powerless.
If you need to watch for confidential data leaving the company over the corporate network, then you do it. The data is all the companies anyways. You aren't running a public ISP where customers expect that you aren't slurping CC numbers. Or a phone company where people expect to be able to share their whoas without it becoming public knowledge.
Now, if you're concerned that if by monitoring the companies data, that you'd be exposed to confidential information that you feel would be detrimental if you had access to, then you need to go to your management and talk to them about it. I'm sure they'd be more then willing to do anything they can to make it possible to do your job without you being responsible for keeping secret.
-Brent