So what do I do to defend those network analysis tools?

Discussion in 'other firewalls' started by bonedriven, Jun 28, 2008.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    In my company LAN,someone's using the network analysis tools to spy on our computers secretly.I know it because the other guy told me he'd seen him once showing him what websites one had visited and even the messages of the chat tools beteewn each other.
    But I don't know what software he's using.It must be some easy ones cause that guy is a noob about computer.
    Question 1:Like the software in this forum Colasoft network tools.Are these similar tools all based on ARP-Spoofing?
    2:What can I do as a defence of my privacy?

    He knew my admin password before.Now I have reinstalled my os with nod32 av and comodo v3 on,changed admin pw.But I think comodo v3 cant handle arp spoofing very well,right?

    Finally, what would happen when Colasoft network analysis tools vs Comodo v3o_O
     
  2. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Maybe no firewall can survive.
    They are monitering the switch!!
     
  3. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207

    being on public wireless lan for years , i'm very very concerned with inbound protection and anti-arp spoofing functionality of firewalls more than than the claimed outbound control

    so,,,,,

    with all respect to comodo , OA , most of the top rated firewall hips , they are nothing but hips applications
    they are so famous by their outbound control , but thier inbound protection is not stronger than the windows xp firewall
    also they include no anti-arp-spoofing protection

    in my opinion , and away from its common bugs , outpost is one of few firewalls which is concerned with the inbound control , protection within the local network , arp-spoofing protection , netcut attacks , DOS attacks , and informs u if the ur gateway on the local network is falsely changed by spoofing program , netcut , or any other sniffer and tell u about the MAC and IP of the attacking computer on the lan

    but as i told u , recent versions of outpost v4 , v6.0 have some problems with many users , this is due to software bloating

    if u encountered problems with these versions , i recommend u and older version of outpost
    outpost version 3.5 or v2

    finally don't forget to disable the file and printer sharing on ur local network

    best regards
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Is the monitoring being done with managements knowledge ?
     
    Last edited: Jun 28, 2008
  5. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    He should not be able to get your Admin password unless your logging into to your computer via a network like Novel. other then that there should be no way to get it from your PC unless its like a Trojan or some other form of Keyloging sence your computer don't send your windows login across the network. if your worried about someone on your main computer then a firewall should be able to tell ya as for the tool listed above it should only list something like if your logging into hotmail anything that requires you to send data across the network if its just PC your safe as far as I know.
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    In addition to Bubba's question, i'd like to remind you to put a password in the default (invisible) admin account.
    Just about anyone can use your computer however they like, if you don't do this.
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,559
    There are various ways to spy on a company LAN.
    The simpliest way is to set a proxy (or a sniffer on a gateway pc) and then all the net traffic will be monitored. Probably he has access at your company's proxy.
    Another way is to install a program like NetSPy Pro on every pc; a sniffer that can be controlled from distance. After that he can monitor what is happening on each pc in realtime without having to filter the traffic generated from the other pcs.
    A third way is to control the DNS server, but since he spies the messages from IM programs, is to exclude from the list.
    I do not think that he use ARP-Spoofing tecnics; especially since you said that he is a noob.
    1. Never let know your admin password. It would be also wise to password protect your security programs too.
    2. If he has access to the proxy of your company there is little you can do. The only way to protect your privacy is to use tunneling protocol.
    3. If you have to use instant messengers, prefer programs that encrypt the traffic. Skype for example has a feature called secured communication. All the traffic is encrypted between the communicating parts.

    hope it helps,
    Panagiotis
     
    Last edited: Jun 28, 2008
  8. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Well,I have the only printer in the poor office so I have to share it.


    I think he asked some pros to set all the company's LAN hardware and his own monitering software.We had one router and a switch.



    Sorry,maybe I didn't make it clear.He did not steal my pw.He just knew it cause the pw on my computer was public to everyone in the office at first.I am new in the office and it's a part-time job in this company.


    Yeah,I have done that since I reinstalled the os.



    Sorry,I don't quite understand the proxy method.I don't think it is the netspy etc method cause I think my computer is clean especially after I have reinstalled the os.

    Thanks for the link.I'll check it out.
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,559
    If the company uses a Proxy Server all the traffic is routed through the server. And this means that it can be intercepted and analised.
    The same is true if they use as default gateway a dedicated pc.
    Also they could use an trasparent or intercepting proxy server.

    You are welcome. :)
     
  10. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I installed Colasoft network analysis tool and found out the software moniters all the traffic through the switch as you must connect your monitering pc to the moniter port of the switch.Then the Colasoft can catch the packects and decode it into website address and IM message etc.
    Then what could I do if he really uses the Colasoft for example?
    Hi,the article is kind of deep for me:( .
    1.Practically,how can I use the tunneling_protocol method to encryt the traffic?Some software?
    2.Does Tor work in this situiation?
     
  11. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    One thing I got to say If this is your Boss doing this good luck getting around it. my suggestion then would be do personal things at home like IMing and what not otherwise invest into a laptop and find wifi hotspot on a break to IM or check whatever ya check... a lot of management watches there network to make sure people are doing what people are supposed to do why at work and make sure that they are paying employees for what they were hired for. Something that has just been rolling Thur my mind since the beginning of this post.

    If its not your boss. then report him to your boss and have the software removed. then you will have no problem with someone watching the network.

    just my 2 cents
     
  12. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi,Fajo.He is not my boss at first.Secondly,I don't know if it is too rude to say so.He is the ***kisser of the boss.It is not the boss's idea to watch us but his own.Please don't tell me to call the police.
    sorry for off topic.
     
  13. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I have installed Tor.It works great to bypass the Colasoft analysis.
     
  14. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Lol I would never tell ya to call the police. but honestly the easiest way to get around him is to invest in a laptop and if you really want a Mobile card lol you can use your laptop on the web and no one could monitor it. :cool: I was going to do this for a long time because the main computer at work was monitored but there was no rules against me bringing my own.
     
  15. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Good for you!:)
    This is only a temporary job.So it's not a big problem.I'm here just for knowledge,and don't wanna lose this little game.:doubt:
     
  16. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    yes but if he is a B**kisser then it might just get you in more trouble then its worth. even tho the fame of rubbing it in his smug face maybe worth it. :eek:
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Hm. I think you are not right. I tried nmap to scan my lan and even the most advanced scan didn't find a network computer where OA was installed and interface was untrusted. As for the ARP spoofing it was discussed many times and in the end it appeared that FW based anti-arp is useless. Personal firewall cannot protect your gateway from spoofing by definition. To prevent ARP spoofing succesfully you need gateway to be protected first.

    As for OA. I dunno what does it do with ARP, but I see sometimes in the FW log ARP-related stuff. Some messages are just informative, some messages report that ARP packet was blocked. For example:
    [29.06.08 00:54:03] 254 ARP entry: 192.168.1.72 -> 00-1F-C6-58-D3-7E
     
    Last edited: Jun 29, 2008
  18. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207

    the inability of ur advanced scanners to detect the pc where OA is installed on ur lan does NOT mean that it can not be detected by any weaker scanner of a hacker inside ur lan



    from where you got this end result
    may be it is ur own opinion


    i tried both outpost firewall and lavasoft firewall "outpost derivative" and both of them protect well againt all spoofing , sniffer and DOS "DENIAL OF SERIVICE " attacks inside ur local network
    and also inform you about any gateway false change
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Sure, it doesn't. But this doesn't mean opposite as well. Conclusion can be only made on real tests. I did it with nmap. I was satisfied, because nmap covers all the possible ways to scan network I know. You may run your own tests of course and make us know of your results.
    It comes from the nature of ARP spoofing. Imagine that your gateway is spoofed with your card's fake MAC. What your WF can do in this case ? Nothing.
    From the other side you may use static MAC and then you don't need to do anything else. For the modern LANs this is recommended way to go.
    You should try to attack your gateway. I don't think Outpost or ANY other FW can stop this.

    And in general, if you do not run network server like web or ftp or p2p you are hardly can be of any interest for DOS attacks. I spent a year in a huge LAN without any FW except built in and I do not remember that I noticed my computer was affected in any way. Then I just installed OA and went invisible.

    Do not take it as if I try you to change your favourite FW, but if you judge other products, try at least to be fair (and to be fair you must be informed).
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ok, seing your answer to Bubba's question, and this, i'd suggest following Pandlouk's posts :)
     
  21. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    293

    bonedriven, I've been using the Ironkey at work. It is the best thing when it comes to secure & private web browsing.... check out their specifications:

    https://www.ironkey.com/

    https://www.ironkey.com/personal
     
  22. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207

    1- u mean ur ports were stealthed or the computer is completely hidden on the lan ?

    if the 1st . any firewall including windows xp firewall can do that
    if the second , just open the netcut and u will find ur mac and ip with the username visible on it

    BY real testing of OA with
    -winarp spoofer
    -net cut
    -switch sniffer

    following results found

    computers with OA were quite visible on the local network

    u can hide them only by changing the router settings "SPI"

    so i'm sure ur results were not realistic


    nothing ?!
    from where u got this answer ?
    may be coz u didn't try or test by ur self a firewall with anti-spoofing properties

    in fact the firewall should respond by the following :-

    1- informs u that the gateway ip and mac was changed

    2-informs u about the computer's ip and mac who did that spoofing

    3-makes ur pc behaves as if the gateway is a static not a dynamic gateway
    as most of DOS attacks occur with dynamic gateways
    and the end result is preventing the spoofing and the DOS attack



    i already attacked the gateway hundred and may be thousands times with almost all types of sniffers , winarp spoofer , netcut , .......

    and outpost did all the above steps very well
    my statments are based on real testing not just a view
    and i invite u to do it ur self by real tests , instead of giving just opinions "that may be affected by emotions , loving firewall and hating another"




    alex , i think i'm fair
    just review my above words well
    OA is the number 1 firewall hips application at this moment "according to matousec today's results"
    so , this is a fact that none can deny
    OA with comodo are the best at outbound protection
    but they very little abilities concerning inbound protection
    they spend all their time patching themselves just to fight more leak tests
    and completely forgot something called inbound which is supposed to be the basic firewall function


    finally
    i'm not from the outpost fan
    i don't like it and not using it right now
    but i just wanted to say what i saw by my eyes
     
    Last edited: Jun 29, 2008
  23. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Plus it can be crashed easily by flooding it as proved by ailef :D.
     
    Last edited by a moderator: Jun 29, 2008
  24. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hi coolio
    could u explain more ?
     
  25. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Completely hidden. From ARP, TCP, UDP, ICMP, PUP etc
     
Loading...
Thread Status:
Not open for further replies.