Packet Filtering.
Results 1 to 8 of 8

Thread: Packet Filtering.

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    20

    Packet Filtering.

    Hi,

    We have installed a new student server in our department. The institute is behind a firewall and so all the connections to the internet go through that firewall. Since the server is wholly for the students and managed by students, I have been made the associate system administrator.

    The problem is that there are numerous incidents occuring when peer students are accessing banned sites. I have been retrieving the list of such sites and adding them to the deny access list. However, that is not a final end to the problem. Further, the students whose logins have been caught, when questioned denied the facts and some of them have given their logins to other friends who might be accessing these sites.

    The system runs Red Hat Linux 7.0 and I have tried various system processes (top et al) but have had little success with it. The main problem is identifying from where the access is being made and identifying the data that is being exchanged (some students tried to use anonymous proxy servers); in case someone is sitting in the department lab on the terminals connected to that server, he can be caught and warned thus reducing such incidents in future.

    I have talked to my professors and they only gave me some pointers about packet sniffing and packet filtering asking me to find it out for myself. They said it will give me real time information on who is accessing what and thus I can immediately get to know on which term someone is accessing a banned site and thus lock his login there and then and catch him on the spot. I have tried looking about these terms on the net but they are all usually software tools which too are windows based.

    Can anyone tell me where to find information on how to do packet sniffing and packet filtering for linux without having to download any softwares. Also, if there is any other method to know which sites are being accessed, it would make my work a lot easier.

    Thanks.

    Regards,
    Bluzky.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Firstly, how many tiers of Firewalls do you have?
    Does the school have its own proxy server for Internet traffic?
    Have you got any network IDS in place? ie. Snort?
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    Hi,

    I don't know about how many tiers of firewalls. I think its just one and that is the main firewall of the institute. Yes, the institute has its own proxy server.

    About the network ids, nothing like Snort has been put up.

    Please advice.

    Thanks for ur help and time.
    Bluzky.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    So, if my interpretation is correct..You have one firewall that is pretty much set up as follows:

    Internal Network ---> FW ----> Internet

    Is this correct? If so, in what segment does your proxy sit?

    Also, is there a Router sitting on the Untrusted side of the FW (Internet Side) that you could possibly place ACLs on?
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  5. #5
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    Hi,

    I dont think there is any router the internet side. And moreover, I will not have any permissions to gain access to the institute proxy servers for that matter, since I am just the system administrator of a small server in the department which forms a very miniscule part of the institute whole.

    So whatever needs to be done, I have to do it locally. The best way I think is to catch those who are trying these things and warn them against such future use. And also to catch the offenders, who are stealing others passwords and using them here. And for that, packet sniffing wud b needed I think, to catch them real time.

    Suggest !!

    Thanks,
    Bluzky.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    If you can force users to ONLY use your proxy server (which can be done depending on where your proxy sits and with tight FW rules) I suggest that you do the following:

    - Setup a username and password authentication on the Proxy for every Internet User.
    - Apply filters on the proxy that can filter on URLs for "unsavoury" words. ie. Porn, fu#k, (use you imagination!!).
    - You can then setup the proxy to fire off an email to the user and sys admin when a URL (or part of) matches your predefined filters. This email should also include the URLs in question, the users userid etc...
    - Keep a record of all breaches, and after x warnings delete their proxy account!
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  7. #7
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    Hi,

    Thanks for replying back. You are suggesting to create a new firewall which will be used against such miscreants. But, already the users have one institute proxy account and setting up another one for local use would be too tedious and not approved by the professors and students alike. And I would not like the honest and sincere users any troubles by adding one more proxy account.

    I don't manage the institute proxy servers and usually the modus operandi is such that all the users in the institute are given one proxy account and there are no departmental or server specific proxies. So anyways, the request there would also not be favoured.

    I thought about installing the proxy, but after taking the feedback from students, obviated the idea. So the only thing that I could get to know was to do with packet sniffing and catching the wrong-doers. Do you have any info on this?

    Moreover, about the site banning. The institute regularly does that on its own too and I dont know how these people are accessing those sites. I think that they are bypassing the proxy too and also using anonymous sites though they too have been banned by the institute. I have no idea right now how they are managing this. So that is why the only resort is to catch the packets and from there see how, where and what are they accessing.


    thanks.

    Bluzky.

  8. #8
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hello Pluzky.

    I agree fully with what soggy bottom has said so far. The best way to restrict access is via a proxy server. The one thing that puzzles me though is:

    I have been retrieving the list of such sites and adding them to the deny access list.
    Where have you entered these lists? Also, if your in charge of resticting URLs, then why dont you have access to the school's proxy server? If you dont have access to the proxy, then you can't restrict URLs.

    I thought about installing the proxy, but after taking the feedback from students, obviated the idea.
    So what if they obviated the idea? Where is the loss from the students side? (except the fact that illegal sites would not load?)

    Always keep in mind that security often replaces comfort. If you want to do what you mentioned, then you need to have access to the main proxy and firewall. There is no way of finding out who is actually sitting behind a computer when doing things he should not. The only information you can get is the host itself, and maybe the user id of the person who is logged in.

    So whatever needs to be done, I have to do it locally. The best way I think is to catch those who are trying these things and warn them against such future use. And also to catch the offenders, who are stealing others passwords and using them here. And for that, packet sniffing wud b needed I think, to catch them real time.
    Use banners when loggin in. Let it say something like "Unauthorized use of this System is Prohibited. By Accessing this System you agree that your Actions may be Monitored if Unauthorized use is Suspected." Packet sniffing is not a bad idea to help you figure out which computer is sending what kinds of packets where, but theres alot more to it than just packet sniffing. One of them is a proxy.

    One more thing.... how about if you setup a subnet for the students user computers. Seperate that from the main network, and setup your own proxy and firewall from your subnet to the rest of the network. Force all access to go through your proxy server. Nothing else should be allowed to pass the proxy/firewall.

    Please tell me what you are specifically allowed todo and what not.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •