Beware of Network Sniffers
by Mitch Tulloch, author of Windows Server Hacks11/01/2005
I'm really enjoying reading Jesper Johansson and Steve Riley's book Protect Your Windows Network. It's the best book on Windows security by far that I've seen, though it's aimed at a fairly high-end audience and is a bit lean on nitty-gritty "how to" stuff. Conceptually though, their treatment of the subject is masterful and their use of humor and the stories they tell from their own experience make it a real page-turner. Once you start you don't want to put it down.
One section that intrigued me is titled "The Myth of Network Sniffing." Hmm, sniffing is a myth? Shouldn't we be worried about hackers trying to sniff out sensitive information on our networks? Well, as Steve and Jesper point out, there are often far worse things to worry about than someone sniffing your network. For if someone is in a position to sniff traffic, it means they've probably taken control of one of your machines, which means they already have access to whatever information is stored on that machine (and probably any other machines that particular machine trusts or is trusted by). In fact, most hackers would rather go straight for the information actually stored on the compromised host rather than bother with installing sniffing software on it. Why is that?
Well, sniffing is actually a lot harder than Hollywood movies portray it to be. Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone. You're sitting in the server room with your laptop plugged into the span port of the backbone switch, and you have sniffing software installed on your laptop and your laptop's NIC is running in promiscuous mode. Ask yourself two questions: first, how long will it take for you to fill up your laptop's hard drive with captured packets? And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets? Then ask yourself something else: if you're standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway? Why not just grab the hard drive from a server and run?
Risk Management
Everything in network security boils down in the end to risk management. You determine what risks your network faces, and then you act accordingly to protect the network within the boundaries of your allotted budget and time. While sniffing poses a danger to your network, so do rodents nibbling on cables in the plenum spaces of your building. Which are more of a threat? It depends -- is your building old and decrepit? Do employees tend to leave their lunch remains on the table at day's end? If either of these are the case, your best security investment might be to get a cat.
|
Related Reading 
Network Security Hacks |
Either way, you need assess the amount of risk each threat (rodents vs. sniffing) poses for your network, and you need to assess this realistically if you are going to protect your network. Then once you've identified the threats your network faces, you need to prioritize them. Once they're prioritized, then you can start taking steps to mitigate the most serious threats while keeping an eye on less likely threats in case their likelihood increases.
Preventing Sniffing
Let's say you do identify sniffing as a realistic, potential threat to your network. What should you do? First, ask yourself why sniffing is a threat. Is it because the steps you've taken to protect the computers on your network aren't really very effective? Is it because your company's physical security is poor and you're actually afraid of someone social-engineering themselves past the receptionist and into the server room where they can tap into a switch? Is it because you're overwhelmed by your new job as administrator and the network has grown over the years as the company expanded and you're not really sure just what's out there on your network? Like, maybe there are some LAN segments using hubs instead of switches, and by the way that computer over there wasn't there yesterday, I wonder who it belongs to? Hmm . . .
Actually, the way to prevent sniffing on your network is pretty straightforward, just follow these steps:
- Make sure your network assets are physically secure. If you don't have physical security, you don't have any security.
- Make sure you have a written security policy and that it's enforced. Even physical security won't mean anything if you don't have a policy behind it backing it up.
- Make sure you know your network's assets, where every cable terminates and which computer or device every switch port connects to.
- Make sure your hosts are protected using every means necessary. If the bad guy compromises one of your hosts, sniffing is probably the least of your worries.
- Encrypt all traffic on your internal network using IPSec. Just try and sniff that. Which of course means that you can't use sniffers for legitimate reasons on such networks, like troubleshooting network problems (you win some, you lose some).
- Finally, you may want to consider setting up a bait machine -- a computer that only you know about. Give this machine a static or reserved IP address but don't create any records for it in the DNS server database. Then if someone is maliciously sniffing your network and they come across this machine, they're likely to try to run a DNS lookup on it to find out its hostname. Checking your DNS logs periodically for lookups for this machine's IP address could signal a sniffing attack at work.
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 2 of 2.
-
sniffing IS a threat
2005-11-03 17:15:48 damdamdam [Reply | View]
"Well, sniffing is actually a lot harder than Hollywood movies portray it to be."
It's not that hard to do, and very effective.
"Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone."
Or just imagine an open Wifi network...
"first, how long will it take for you to fill up your laptop's hard drive with captured packets?"
Quite a long time if I have set the right capture filters. No need to log all the packets. Just log the interesting ones (the ones coming and going to the host you want to crack for example).
"And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets?"
You're not using the right tool for the right job. You may want to try some powerful packet sniffers before saying that.
"Then ask yourself something else: if you're standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway?"
To get to other networks/accounts I have not YET cracked.
"Why not just grab the hard drive from a server and run?"
You need physical access to do that. You can do it but it requires much more planning than just sniffing somewhere on the network. You don't need to sniff from the source or the destination network. Somewhere in the middle is just fine. You can even do it from previously cracked networks and be relatively safe. Much safer than "grab and run" if you ask me.
"Encrypt all traffic on your internal network using IPSec. Just try and sniff that."
I'm not talking for IPSec but every protocol based on SSL is vulnerable to man in the middle attacks. It's not sniffing anymore because it's an active attack, but you can cracked "ssl secured" networks . But we're not talking of script kiddies anymore. It's more difficult than just sniffing.
Besides, encrypting your internal network is fine, but it won't do a lot when you'll have to send the root password by plain email to someone outside (yourself at home because you want to work from home this week). Sniffing is still effective in that sort of cases.
"Checking your DNS logs periodically for lookups for this machine's IP address could signal a sniffing attack at work."
Absolulety not. It might just be a (dumb) port scan. Quite a different beast from sniffing. By definition, sniffing is silent. You don't do anything on the sniffed network except listening. You won't know someone is sniffing unless you're looking for it.
"Why not just grab the hard drive from a server and run?"
You need physical access to do that. You can do it but it requires much more planning than just sniffing somewhere on the network. You don't need to sniff from the source or the destination network. Somewhere in the middle is just fine. You can even do it from previously cracked networks and be relatively safe. Much safer than "grab and run" if you ask me.
It's also spectacularly unsubtle - if I were a malicious intruder in your network who wanted to gain access to your confidential information and not get caught, I'd be far more likely to sniff the right access credentials to get at it digitally over the wire, as this would allow me to copy the information then and there, or come back for it later, either (assuming that I can do so without being logged) without you finding out about it.
Contrast this with pulling the hard disk, which is likely to get me noticed within 1-2 minutes (unless I'm lucky enough to need information from a server with an unmonitored, mirrored raid array and I happen to know the right disk to pull) when the server stops responding, and I know which one I consider a more likely security risk!