[Dshield] Network monitoring tools on servers

Al Reust areust at comcast.net
Sun Jun 5 20:15:05 GMT 2005


If I am reviewing the business case I would need their justification.

We all know what sniffers are used for, and to let them outside a very 
tight control would be asking for trouble.

At 05:46 AM 6/3/2005 -0500, you wrote:
>There is a debate going on where I work -- a rather largish enterprise, 
>with global operations.  Our server support folks want to install NetMon 
>(Microsoft's network monitor) on all the servers, so when the need arises 
>they can connect to it and do troubleshooting.

IF I look at the use of "netmon" in this case, I would instead look at how 
the infrastructure is laid out. There would a be a common sense position at 
a switch etc that would cover the traffic to and from the majority of the 
servers in "groups."  Then you end up with part of the useful function the 
ability to look at traffic shaping and identify bottlenecks. Then you have 
a business case for network monitoring. You also have a section on the 
definition of monitoring, the periodicity and personal designated to 
monitor. In that you also inform management that the contents of their 
email (outside of a Mail Administrator) is now subject of review from the 
group of identified people. You also identify safeguards that will be put 
in place to prevent unauthorized use.

Then if you need a single specific server to can load an instance on the 
"problem" server. then you end up with 1 to x machines that you can lock in 
a room and monitor who/why has access. It was even taken to a standard 
paper log book that was signed as an individual sat at the console with the 
reason for sitting their. With a monthly audit to insure that "security 
logs" were not tampered with.

>My guess is that this came out of the recent problems with MS05-019, which 
>did impact us.  I do remember, back when I did server support, that we 
>wanted to do the same thing, but IT Audit vetoed the idea.  Well, they are 
>still questioning it, asking for a business case (justification) and 
>exactly which (of the more than 1000) servers we "need" to put it on.

This goes back to how the infrastructure is laid out. You could load it on 
all 1,000 and hire a couple more "trustworthy" people to monitor just the 
monitors. Often times "trustworthy" people are overcome by information that 
are forced to view while looking for a problem.

The Big Caution - You tend to find out things you really did not want to 
know. You could be faced with viewing the Boss via email making 
arraignments to cheat on his wife (can you say a case for blackmail). In 
one other instance the information that was brought to light resulted in 
the termination of and employee due to behavior, can you say AUP and other 
policy safeguards.  So a portion of the plan has to be what happens if and 
who will be involved.

>So, my questions to you are:  What are the pros/cons from installing such 
>a diagnostic tool on a server, in the event it is needed?  Is there really 
>a serious enough issue that Audit (and, indeed, Security) should have 
>heartburn with it?  Or, is it, in the words of some famous person 
>somewhere in the past, just "much ado about nothing"?  Would you do/have 
>you done such a thing in your own organization?  If so, what safeguards 
>did you put in place?

I live in a rather largish infrastructure (wide spread) and we have several 
locations where we have mirror/span ports are setup. There are machines 
designated to run the network monitor and only "local logins" are allowed. 
They are in a locked room and the auditor has one of the local accounts. It 
is very easy to see who did what, and then determine why. In the same 
context, I have a laptop and a hub that I can plug in a moments notice. So 
yes a portion of my job is to be that "trusted" person. Yes I have 
undergone various procedures to verify my trustworthiness.

I have seen an instance where a Subpoena was carried in and a Court for 
TCPdumps on a specific user at an ISP. The bad part they did not tell the 
ISP to terminate the dumps after the individual was arrested. You then have 
to deal with evidence preservation.

In one instance this configuration was used to resolve a WINS issue. So yes 
the CIO was aware of what, and why and the plan.

So if they want to make a business case then let them start, normally the 
paperwork will kill the urge of the "kneejerk reaction." If they do work 
through it then you have a well thought, properly constructed and hopefully 
secure monitoring system that has defined function. The system then has the 
capability of improving the network for the business.



>Ed Truitt
>PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
>"Note to spammers:  my 'delete' key is connected to YOUR ISP.
>Also, if you send me UCE, I reserve the right to post your spew
>on my Web site, with the appropriate color commentary, so that
>others may have a good laugh at your expense."

More information about the list mailing list