[Dshield] Network monitoring tools on servers

Stephane Grobety security at admin.fulgan.com
Fri Jun 3 12:22:57 GMT 2005


Hello Ed,

To be short, an attacker or insider can use the monitoring tool for
recon. If you install one yourself, you makes things easier for him.

Another reason is the you can actually look for sniffers either as
running process, loaded driver or network cards in promiscuous mode.
If you routinely install such system everywhere, you remove a
potential alarm if something goes wrong.

However, you can probably achieve the same level of probing using only
a few dedicated stations. And since these stations are dedicated for
network monitoring, it would also make it easier to secure and log
their usage (conditional here: since these should be used for
"emergency" only, you also run the risk of "forgetting" to properly
manage them. It all depends on how well your IT structure is, I
suppose).

Good luck,
Stephane

Friday, June 3, 2005, 12:46:09 PM, you wrote:

ET> There is a debate going on where I work -- a rather largish enterprise, 
ET> with global operations.  Our server support folks want to install NetMon 
ET> (Microsoft's network monitor) on all the servers, so when the need 
ET> arises they can connect to it and do troubleshooting.  My guess is that 
ET> this came out of the recent problems with MS05-019, which did impact 
ET> us.  I do remember, back when I did server support, that we wanted to do 
ET> the same thing, but IT Audit vetoed the idea.  Well, they are still 
ET> questioning it, asking for a business case (justification) and exactly 
ET> which (of the more than 1000) servers we "need" to put it on.

ET> So, my questions to you are:  What are the pros/cons from installing 
ET> such a diagnostic tool on a server, in the event it is needed?  Is there 
ET> really a serious enough issue that Audit (and, indeed, Security) should 
ET> have heartburn with it?  Or, is it, in the words of some famous person 
ET> somewhere in the past, just "much ado about nothing"?  Would you do/have 
ET> you done such a thing in your own organization?  If so, what safeguards 
ET> did you put in place?





More information about the list mailing list