Home page logo

basics logo Security Basics mailing list archives

Re: switched n/w
From: Russell Gregg <rusty.gregg () aholdusa com>
Date: 8 Dec 2004 14:23:46 -0000

In-Reply-To: <1102444223.2139.19.camel () Kaushal>

  Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?
How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly

thanks in advance.



I would say a layered approach is needed in a switched environment.  

It's true that if everyone plays nice, no one can see someone else’s traffic.  I would then ask myself a question, "Am 
I sure everyone is playing nice?"  If you have any doubts, I would implement IPSec or another VPN for the important 
servers at least.  Next, I would verify least privilege for each resource on the server. Next, be sure to turn up 
auditing for connections and resource accesses (writing seems appropriate here).  If the file(s) you are talking about 
are statically named or under a known path, I would look into an integrity checking tool that runs passively on the 
server.  If you're looking to identify the offender (the pursue versus recover), then Snort with a trigger for the 
filename or portion of the path might be good.

Hope this helped.

"Be the change you wish to see in the world."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]