I'm really enjoying reading Jesper Johansson and Steve Riley's book Protect Your Windows Network. It's the best book on Windows security by far that I've seen, though it's aimed at a fairly high-end audience and is a bit lean on nitty-gritty "how to" stuff. Conceptually though, their treatment of the subject is masterful and their use of humor and the stories they tell from their own experience make it a real page-turner. Once you start you don't want to put it down.
One section that intrigued me is titled "The Myth of Network Sniffing." Hmm, sniffing is a myth? Shouldn't we be worried about hackers trying to sniff out sensitive information on our networks? Well, as Steve and Jesper point out, there are often far worse things to worry about than someone sniffing your network. For if someone is in a position to sniff traffic, it means they've probably taken control of one of your machines, which means they already have access to whatever information is stored on that machine (and probably any other machines that particular machine trusts or is trusted by). In fact, most hackers would rather go straight for the information actually stored on the compromised host rather than bother with installing sniffing software on it. Why is that?
Well, sniffing is actually a lot harder than Hollywood movies portray it to be. Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone. You're sitting in the server room with your laptop plugged into the span port of the backbone switch, and you have sniffing software installed on your laptop and your laptop's NIC is running in promiscuous mode. Ask yourself two questions: first, how long will it take for you to fill up your laptop's hard drive with captured packets? And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets? Then ask yourself something else: if you're standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway? Why not just grab the hard drive from a server and run?
Everything in network security boils down in the end to risk management. You determine what risks your network faces, and then you act accordingly to protect the network within the boundaries of your allotted budget and time. While sniffing poses a danger to your network, so do rodents nibbling on cables in the plenum spaces of your building. Which are more of a threat? It depends -- is your building old and decrepit? Do employees tend to leave their lunch remains on the table at day's end? If either of these are the case, your best security investment might be to get a cat.
Either way, you need assess the amount of risk each threat (rodents vs. sniffing) poses for your network, and you need to assess this realistically if you are going to protect your network. Then once you've identified the threats your network faces, you need to prioritize them. Once they're prioritized, then you can start taking steps to mitigate the most serious threats while keeping an eye on less likely threats in case their likelihood increases.
Let's say you do identify sniffing as a realistic, potential threat to your network. What should you do? First, ask yourself why sniffing is a threat. Is it because the steps you've taken to protect the computers on your network aren't really very effective? Is it because your company's physical security is poor and you're actually afraid of someone social-engineering themselves past the receptionist and into the server room where they can tap into a switch? Is it because you're overwhelmed by your new job as administrator and the network has grown over the years as the company expanded and you're not really sure just what's out there on your network? Like, maybe there are some LAN segments using hubs instead of switches, and by the way that computer over there wasn't there yesterday, I wonder who it belongs to? Hmm . . .
Actually, the way to prevent sniffing on your network is pretty straightforward, just follow these steps:
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
Copyright © 2009 O'Reilly Media, Inc.