Re: snooper watchers

Ben Taylor (bent@snm.com)
Fri, 24 Feb 1995 11:33:18 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Thorson : "Re: NCSA httpd 1.3"
Previous message: Christian Wettergren: "Re: Sendmail 8.6.10: what's different?"
In reply to: John Adams: "Re: snooper watchers"
Next in thread: mascarkp@cc3.adams.edu: "Re: snooper watchers"

On Thu, 23 Feb 1995, John Adams wrote:

> If you're at the point where you're worried about someone placing an
> interface in promiscuous mode, it's probably too late for the rest 
> of your system. A greater emphasis needs to be placed on securing the
> machine itself, and not creating workarounds that monitor the interfaces.

Thanks for the tip.  However, since I am working with a client who 
has already had an initial scan, and are trying to fulfill all the
suggestions the tiger team made, I am trying to follow the clients
wishes.  They are paying my tab.  You are correct that if someone can
put a sniffer on your net, you're pretty screwed, but at least you
can reduce the ammount of damage that could be done.  However, my
job has been to review what has been done, recommend what else can
be done, and test.

> Are you going to write a program that checks to see if root's cronjob has
> been modified? Probably not, and if someone has access to /dev/nit, they're
> going to have access to root's cronjob as well.

I suppose if you really wanted to make sure that crontab entries couldn't
be changed is to put them on a write protected floppy, mounted at boot.
It would provide a pretty good method to make sure the crontab entry
couldn't be change.  Of course killing cron is the bypass, but then
you'd really notice that, wouldn't you?

> 
> The best thing for you to do is completely remove /dev/nit from the system,
> and make sure noone can get access to mknod to recreate it. 

With loadable modules, this is academic.

> 
> Also, realize that snooping can occur _anywhere_ in your network. Unless 
> you're willing to shield all of the cable in your building with some 
> massively thick steel conduit, and place video cameras and armed guards at
> every network 'T' connection, you're vunerable. 

I'm very well aware of the possibilities of how you can be snooped.
Internal security is something only the client can take care of.  I
can make my recommendations and do nothing more.  

> 
> 		-john
> 

Ben Taylor --- Chief Information Officer --- Smoke N' Mirrors, Inc.
-=-=-=-=-=-=-=-  Services for Systems Integration -=-=-=-=-=-=-=-=-
bent@snm.com  "Where the impossible jobs get done!"  (703) 318-1440
           580 Herndon Pkwy, Suite 300, Herndon VA, 22070

Next message: Dan Thorson : "Re: NCSA httpd 1.3"
Previous message: Christian Wettergren: "Re: Sendmail 8.6.10: what's different?"
In reply to: John Adams: "Re: snooper watchers"
Next in thread: mascarkp@cc3.adams.edu: "Re: snooper watchers"