NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [FW1] Sniffer | new firewall rule | help!



Felt I needed to comment on this.  Why do IT folk in general feel the need to be so rude in technical forums?  Bzzt thanks for playing?  Get a life.

When an organization has been built prior to a policy being written (obviously not the best situation, but happens all the time), admins need to understand the business needs.  Sniffing traffic to gain that understanding is a perfectly acceptable method.  Once the communication lines that are currently in use are documented, then you meet with managers to debate what traffic should and should not be allowed.  What they sign off on becomes part of your overall security policy.

To sniff the traffic you either need sniffing software installed on the server itself (careful about who can run it!) or you need to insert a device between the switch and the server to do the sniffing.  I typically do this with a hub, though you may have trouble if the traffic levels  on the server's interface are high.  A hub will force you back to half-duplex, which may cause collisions.  Once in place you will want to dump all packets with the SYN bit set and the server's address as the destination to look for clients making TCP connections.  With a bit of textual munging you can reduce this data to the set of clients that connect to the server on particular ports.  More difficult with UDP based protocols, but still looking for packets with the server as destination.

Turning the port numbers into actual software names can be done with grep and /etc/services, or google :)

Good luck,

j

-----Original Message-----
From: Volker Tanger [mailto:[email protected]]
Sent: 22 April 2003 08:27
To: [email protected]
Subject: Re: [FW-1] [FW1] Sniffer | new firewall rule | help!


Greetings!

On Tue, 15 Apr 2003 07:40:44 -0400 Firewall Security
<[email protected]> wrote:

> This question is a bit off topic, but will be used to build new
> firewall rules:
> Here's the goal: identify connections to a particular server.  This
> info will be used to form access controls and security measures. (aka
> new firewall rules)

*bzzzt*  Wrong answer. Thanks for playing.


What you want:
Allow access to the server only for selected/trustworthy partners or
protocols.

What you are doing:
Allow access to the server to all those who are using it already.


That is an organizational problem, not a technical one. A sniffer never
can sign a request - a manager can. General policy for rule requests
should be: no signature, no access.


Mit freundlichen Grüßen

Volker Tanger

IT-Security
discon gmbh
DeTeWe AG & Co. KG

Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/

--


-------------------------------------------------------------------
Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de .
Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich.

Visit our new Internet Pages on http://www.detewe.de .
Our Highlight: Online Product Adviser for Home & Office.
(Currently available in German only)

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.