Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's On Your Network?

Posted by Zonk on from the sneaky-goings-on dept.

An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."

15 of 188 comments (clear)

  1. I'm more worried about my home network. by Anonymous Coward · · Score: 2, Insightful

    Lots of network noise from my Apple boxen. AFP, Rendezvous, Netbios etc. Oh and stupid Linksys router querying my ISP's domain name servers to find out where 198.162.1.104 is and dumb shite like that, strange bittorrent stuff from the internet that for some reason gets bounced around my entire network.

    Now can someone please tell me why tcpdump and tcpflow -c don't do the same thing. tcpflow seems to grab the entire data sans headers but missees most all of the lower level traffic (e.g ARP whohas etc), whilst tcpdump only grabs the headers no matter how big I make the snarfen -s thing or if I do -vv still only grabs the headers. It's like they both see different things.

    Thanks for any help

  2. Maybe this is just me... by PhilipPeake · · Score: 4, Insightful

    but isn't this the sort of stuff that ANY network admin worth their salt should be completely aware of? If they need to be told this stuff they are not (IMHO) worth employing as other than apprentice network engineers. Or is this level of admin common in Windows environments?

    1. Re:Maybe this is just me... by cavtroop · · Score: 5, Insightful

      Also, try to remember that most companies IT departments are still short staffed, and pro-active monitoring like network scanning, etc. gets put way on the back burner. I agree with you, and am just playing devils advocate here :)

    2. Re:Maybe this is just me... by einhverfr · · Score: 3, Insightful

      Well... Here is my attitude towards the whole thing... Sudden enforcement is generally a problem for reasons you mention.

      However, when you are planning or deploying your network, it makes sense to add filters to nearly all routers (a standard filter set) which allows you to monitor for certain types of common misconfigurations and problems. This can be largely automated so you don't have to dedicate a large amount of manpower to reading and parsing through logs. Ideally such a router management infrastructure would require very little overhead to manage.

      When something turns up, you need to investiate it. Find out what is going on. If it is an in-house server some department is running, find out what it is doing, discuss what needs to be done about it, and find out what you can do to add the required functionality to your server infrastructure (one possibility is to grant the department some level of approval in operating the server if it is important to the business).

      Security exists in a balance with LOB requirements. Heavily pushing one or the other side is a recipe for business failure.

      --

      LedgerSMB: Open source Accounting/ERP
    3. Re:Maybe this is just me... by Anonymous Coward · · Score: 1, Insightful

      Did they then proceed to the next step? Identifying all the essential non-approved servers, checking them out and approving them?

  3. Interesting points but possibly too specific by Sv-Manowar · · Score: 3, Insightful

    This article raises the issue of internal network security, which is something that's been increasing in profile as a security risk over the past few years as ethernet/wifi enabled devices get smaller, cheaper and easier to hide. However, this article's specific Cisco approach to dealing with things by tracking them back through routers and cisco-specific tools seems to be of less use than more general scanning and identification measures.

    It's safe to say a good proportion of administrators already on networks with devices migrating on and off at will already have a consideration for these problems, and the specific approach detailed in the article may not be of best use to those less experienced admins starting to tackle this issue on their networks.

    --
    Business Voyeur
  4. Re:static dhcp ? by Anonymous Coward · · Score: 1, Insightful

    Actually the best solution is that you have switches with MAC based access control. If you plug something that is not registered into a switch, you get no access and alarms go off.

  5. I find it hard to believe by techno-vampire · · Score: 2, Insightful

    Are there really companies out there that still don't have a policy about not hooking up private equipment to the LAN without permission? Are there even any that let you run your own server on their LAN without aking? I find that hard to believe. Even if bandwidth isn't an issue, the company owns the equiptment and has a right to say how it gets used, and what traffic is premitted. Anybody adding private equipment or running an unauthorized server has to know they're violating company policy, and can expect to be fired when it's discovered. The best way to keep it from happening a second time is to make sure everybody knows just why the fsckwit got canned.

    --
    Good, inexpensive web hosting
  6. Re:Perhaps a subnet just for non-assigned? by Dachannien · · Score: 2, Insightful

    Better yet, make the unregistered machine subnet able to access important security-related sites, like Windows Update and the corporate intranet site with antivirus and antispyware software downloads.

    (This is actually done relatively frequently, so I'm definitely not saying anything original here.)

  7. Re:Company policy enforcement? by SpaceLifeForm · · Score: 2, Insightful
    If company policy mandates using Windows, well, you are going to have problems anyway.

    Plugging other machines that are non-Windows is not likely to create near as many problems. The exception to that would be wifi that is not properly secured (default settings).

    It's the untrusted employee that is trying to subvert your networks that you have to worry about more than anything.

    And company policy will not stop that anyway.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  8. Re:DHCP fun by autocracy · · Score: 3, Insightful
    Or... "not unsurprising?"

    Age old machines that just run and are scattered around without sense can certainly fall to that. What about Sun and losing a major chip fab machine? Turned out some recently departed developer's desktop ran something that was critical to operations, but was formatted after he left. I'm off on the details as to what purpose it fulfilled, but its disappearance was noted at the executive (CIO) level because of its disturbance to the company's operations. Whoopsie?

    --
    SIG: HUP
  9. This article is brought to you by Cisco(TM)... by presarioD · · Score: 2, Insightful



    how wonderfully clandestine public PR industry operatations are nowdays:


    For more information on CDP, visit http://cisco.com/en/US/tech/tk648/tk362/tk100/tech _protocol_home.html

    Hmmmmmmmm... and the ./ editors will be the first ones to bite.

    --
    Yam, yam, uga booga, yam, yam, yade, yade, uga booga, yam, yam, yade, yade
  10. Porn Sites hurt Feelings. by ebooher · · Score: 4, Insightful

    Could someone please tell me why employees browsing porn sites is such a big fucking deal? How is it different than employees browsing /.?

    IT security people at corporations are becoming porno hunters. Be proud, guys.

    You apparently do not live in the U.S. You see, here we have these things called laws that are written and voted upon by hairless monkeys that are given offices by people that can't be bothered to read and vote on these "laws" themselves.

    Some of these "laws" revolve around personal opinion and human emotions known as "feelings." They state that if you do something that hurts someone elses "feelings" you will go to jail and have to give them a lot of money.

    This has caused a rash outbreak of people "sniping" or hiding out in bushes that sometimes decorate offices and awaiting an unsuspecting employee to briefly brush past a site holding pornographic material. Google.com is a good example. In this instant they leap from the previously hidden sniping bush and proclaim that the barest hint of an unclothed nipple has hurt their "feelings"

    This results in a winning lawsuit in which the unknowing employee receives a new boyfriend at the same time that he is given to the sniper as a money slave for the rest of his life. Sometimes it even results in the closing of an entire company and results in a rise in unemployment which these people called "taxpayers" really have something against.

    A couple of years ago something that looked almost like a nipple, but clearly wasn't, caused a major change in the entire U.S. broadcasting industry because of all the people whose "feelings" the wardrobe malfunction had caused to be hurt.

    This has caused companies to be very careful about keeping anything that could possible hurt "feelings" out of their offices and off of their computers. Where I work, we usually just leave the computers turned off ....

    --
    "Genius may shine aloof and alone, like a star, but goodness is social, and it takes two men and God to make a Brother."
  11. Re:ridiculous article, company LAN = filtered by Anonymous Coward · · Score: 1, Insightful

    "Um, duh, what company network doesn't have egress filtering (bye bye IM, Quake, SSH) and content filtering (bye bye porn, TheOnion, etc) ?"

    One with happy employees who enjoy themselves and won't jump ship at the first hint of a 1% payrise?

  12. Security starts at the closet by nurb432 · · Score: 2, Insightful

    The very first thing you do is make sure you have no live ports just 'laying around'. If you dont have a person at a desk, its jack gets unpatched. ( or turned off at the switch )

    Secondly, you tie MAC addresses to specific ports on your switches, to help prevent people moving around without your knowledge. It also slows down people from causally swapping their company owned PC with a personal laptop. However, unlike the good old days, it wont slow down those damned wifi boxes since they can clone mac addresses easily.. But its at least a start.

    --
    ---- Booth was a patriot ----