Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unintrusive Traffic Content Monitoring?

Posted by Cliff on from the closing-the-outgoing-floodgates-on-your-Intranet dept.

fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?

"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.

Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"

6 of 82 comments (clear)

  1. Bare Minimum it is then... by jpowers · · Score: 4

    Set up a proxy server and force all outbound traffic over it. Tell the users it's to filter for Outlook viruses or some (.V)BS. Shut down all but a few ports, then run a packet sniffer to watch the ports you open. The proxy server has to be able to handle all the traffic, so if you have a LAN/WAN setup, you can use the proxy as a gateway between LAN servers and WAN/external traffic (so it won't slow down the outside users' access to your webpage).

    We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.

    -jpowers

    --

    -jpowers
  2. If you really need a tight network... by Malor · · Score: 5

    Your fundamental goal -- allowing anonymous, untracked internet usage, while simultaneously being *absolutely sure* that unauthorized data isn't getting out -- is impossible.

    The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.

    You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.

    It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.

    Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on /. if you're interested. Good luck catching THAT with a sniffer. :-)

    What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.

    If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.

    If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.

  3. It's the same deal as always... by Chiasmus_ · · Score: 4

    If someone is really smart and wants to steal or transfer company records behind your back, he or she will find a way. It can be disguised, routed through unusual channels, encypted, or even sent out in screen shot format as a bunch of JPGs.

    If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.

    So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.

    --
    "Beware he who would deny you access to information, for in his heart he deems himself your master."
  4. Monitor Certain Ports/Automated Scanning by LaNMaN2000 · · Score: 4

    If I were in your position, I would ensure that no outbound traffic travels on non-standard ports that have not first been registered with IT (to prevent DDoS clients from being installed/managed, BackOrifice from being installed, etc. Also, I think that installing an automated scanner for e-mail, prohibiting attachments larger than a certain size, etc. would be prudent. Personally, I would not find it invasive if I was told, as an employee, what type of e-mail would raise a flag with the automatic scanner and esured that my mail would not be read by another human being unless it was potentially dangerous.

    Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.

    --

    ByteMyCode.com: A Web 2.0 code sharing community.
  5. No good technology solution... by kabir · · Score: 4

    Ultimately there is no good solution to this sort of problem. Various technologies have been developed (usually in concert with a government) which allow data to be labled, etc. While there are some rudimentary barriers to moving around labled data, it's nothing your average school kid couldn't circumvent.

    The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.

    Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.

    In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.

    Oh, and cross your fingers.
    --

    --
    Behold the Power of Cheese!
  6. Limit the visibility employees have to data by Enonu · · Score: 4

    ALL other solutions are either impractical or can be circumvented, perhaps by just pencil and paper :)