[Dshield] Network monitoring tools on servers
security at admin.fulgan.com
Fri Jun 3 12:22:57 GMT 2005
To be short, an attacker or insider can use the monitoring tool for
recon. If you install one yourself, you makes things easier for him.
Another reason is the you can actually look for sniffers either as
running process, loaded driver or network cards in promiscuous mode.
If you routinely install such system everywhere, you remove a
potential alarm if something goes wrong.
However, you can probably achieve the same level of probing using only
a few dedicated stations. And since these stations are dedicated for
network monitoring, it would also make it easier to secure and log
their usage (conditional here: since these should be used for
"emergency" only, you also run the risk of "forgetting" to properly
manage them. It all depends on how well your IT structure is, I
Friday, June 3, 2005, 12:46:09 PM, you wrote:
ET> There is a debate going on where I work -- a rather largish enterprise,
ET> with global operations. Our server support folks want to install NetMon
ET> (Microsoft's network monitor) on all the servers, so when the need
ET> arises they can connect to it and do troubleshooting. My guess is that
ET> this came out of the recent problems with MS05-019, which did impact
ET> us. I do remember, back when I did server support, that we wanted to do
ET> the same thing, but IT Audit vetoed the idea. Well, they are still
ET> questioning it, asking for a business case (justification) and exactly
ET> which (of the more than 1000) servers we "need" to put it on.
ET> So, my questions to you are: What are the pros/cons from installing
ET> such a diagnostic tool on a server, in the event it is needed? Is there
ET> really a serious enough issue that Audit (and, indeed, Security) should
ET> have heartburn with it? Or, is it, in the words of some famous person
ET> somewhere in the past, just "much ado about nothing"? Would you do/have
ET> you done such a thing in your own organization? If so, what safeguards
ET> did you put in place?
More information about the list