[Dshield] Network monitoring tools on servers
areust at comcast.net
Sun Jun 5 20:15:05 GMT 2005
If I am reviewing the business case I would need their justification.
We all know what sniffers are used for, and to let them outside a very
tight control would be asking for trouble.
At 05:46 AM 6/3/2005 -0500, you wrote:
>There is a debate going on where I work -- a rather largish enterprise,
>with global operations. Our server support folks want to install NetMon
>(Microsoft's network monitor) on all the servers, so when the need arises
>they can connect to it and do troubleshooting.
IF I look at the use of "netmon" in this case, I would instead look at how
the infrastructure is laid out. There would a be a common sense position at
a switch etc that would cover the traffic to and from the majority of the
servers in "groups." Then you end up with part of the useful function the
ability to look at traffic shaping and identify bottlenecks. Then you have
a business case for network monitoring. You also have a section on the
definition of monitoring, the periodicity and personal designated to
monitor. In that you also inform management that the contents of their
email (outside of a Mail Administrator) is now subject of review from the
group of identified people. You also identify safeguards that will be put
in place to prevent unauthorized use.
Then if you need a single specific server to can load an instance on the
"problem" server. then you end up with 1 to x machines that you can lock in
a room and monitor who/why has access. It was even taken to a standard
paper log book that was signed as an individual sat at the console with the
reason for sitting their. With a monthly audit to insure that "security
logs" were not tampered with.
>My guess is that this came out of the recent problems with MS05-019, which
>did impact us. I do remember, back when I did server support, that we
>wanted to do the same thing, but IT Audit vetoed the idea. Well, they are
>still questioning it, asking for a business case (justification) and
>exactly which (of the more than 1000) servers we "need" to put it on.
This goes back to how the infrastructure is laid out. You could load it on
all 1,000 and hire a couple more "trustworthy" people to monitor just the
monitors. Often times "trustworthy" people are overcome by information that
are forced to view while looking for a problem.
The Big Caution - You tend to find out things you really did not want to
know. You could be faced with viewing the Boss via email making
arraignments to cheat on his wife (can you say a case for blackmail). In
one other instance the information that was brought to light resulted in
the termination of and employee due to behavior, can you say AUP and other
policy safeguards. So a portion of the plan has to be what happens if and
who will be involved.
>So, my questions to you are: What are the pros/cons from installing such
>a diagnostic tool on a server, in the event it is needed? Is there really
>a serious enough issue that Audit (and, indeed, Security) should have
>heartburn with it? Or, is it, in the words of some famous person
>somewhere in the past, just "much ado about nothing"? Would you do/have
>you done such a thing in your own organization? If so, what safeguards
>did you put in place?
I live in a rather largish infrastructure (wide spread) and we have several
locations where we have mirror/span ports are setup. There are machines
designated to run the network monitor and only "local logins" are allowed.
They are in a locked room and the auditor has one of the local accounts. It
is very easy to see who did what, and then determine why. In the same
context, I have a laptop and a hub that I can plug in a moments notice. So
yes a portion of my job is to be that "trusted" person. Yes I have
undergone various procedures to verify my trustworthiness.
I have seen an instance where a Subpoena was carried in and a Court for
TCPdumps on a specific user at an ISP. The bad part they did not tell the
ISP to terminate the dumps after the individual was arrested. You then have
to deal with evidence preservation.
In one instance this configuration was used to resolve a WINS issue. So yes
the CIO was aware of what, and why and the plan.
So if they want to make a business case then let them start, normally the
paperwork will kill the urge of the "kneejerk reaction." If they do work
through it then you have a well thought, properly constructed and hopefully
secure monitoring system that has defined function. The system then has the
capability of improving the network for the business.
>PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
>"Note to spammers: my 'delete' key is connected to YOUR ISP.
>Also, if you send me UCE, I reserve the right to post your spew
>on my Web site, with the appropriate color commentary, so that
>others may have a good laugh at your expense."
More information about the list