Security Issues with Network Monitoring Tools
From an attackers point of view, the traffic-monitoring utilities provide opportunities for sniffing network packets, possibly uncovering passwords or the types of software in use on the network. And, the configuration-monitoring and service-monitoring tools let the attacker learn about the network and even jiggle the doorknob. They are interesting for the reconnaissance information they can provide, such as information about what applications are run on the network, user IDs and passwords, how well-connected a site is, and of course, proprietary data.
Its not enough to protect access to monitoring and diagnostic tools, when possible. You must also protect the information those tools collect from unauthorized access. If an intruder knows, or can determine, where your network monitoring logs are stored, and they gain access to them, they could view your logs (possibly obtaining authentication information such as passwords, or confidential company data) or even remove all traces of their visit to your network. So, its prudent to develop a policy for backing up important system logs to off-line storage on a regular basis, in the name of preserving potential evidence. Unfortunately, its not unusual at all for a system administrator to collect network traffic or application diagnostic information into a publicly-readable file, even though that information may include user passwords, sensitive data like credit card numbers, etc.
Since its not feasible to guarantee that no one will ever run packet sniffer software on your network, remember that no packet on your network is immune from being captured by a sniffer, and keep the following in mind:
Do not send sensitive information across the network unencrypted (this includes email, files saved to servers, credit card information submitted from a web page to an application server, etc.
Use challenge/response authentication techniques instead of those that send passwords in clear text or encryption, in order to minimize opportunities for playback attacks and password stealing
Consider probing your network for the presence of unauthorized sniffers periodically, to at least limit the amount of information they gather before being discovered and disconnected.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.