mailing list archives
Re: switched n/w
From: Russell Gregg <rusty.gregg () aholdusa com>
Date: 8 Dec 2004 14:23:46 -0000
In-Reply-To: <1102444223.2139.19.camel () Kaushal>
Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?
How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly
thanks in advance.
I would say a layered approach is needed in a switched environment.
It's true that if everyone plays nice, no one can see someone elses traffic. I would then ask myself a question, "Am
I sure everyone is playing nice?" If you have any doubts, I would implement IPSec or another VPN for the important
servers at least. Next, I would verify least privilege for each resource on the server. Next, be sure to turn up
auditing for connections and resource accesses (writing seems appropriate here). If the file(s) you are talking about
are statically named or under a known path, I would look into an integrity checking tool that runs passively on the
server. If you're looking to identify the offender (the pursue versus recover), then Snort with a trigger for the
filename or portion of the path might be good.
Hope this helped.
"Be the change you wish to see in the world."
- Re: switched n/w, (continued)