How to prevent internal intruder

Posted on 2004-03-24
Last Modified: 2013-12-04
I am network administrator in one of the company in malaysia, and a novice in IT security.
Lately, an internal intruder who able to sniffer the packet in my network send an email to me everyday, and telling me all the activities that i did. For eg. The content of email that i sent out by using my hotmail account, attachment file sent, the files that i transfered over my internal network.
I felt so unsecure now, i am keen to know what are the tools available that enable the internal intruder to do so, and any tools avaiable to overcome this problem. Please help............
I am using PIX firewall and ISS realsecure IDS in my network, and all kinds of cisco router and switches.
Question by:belim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 100 total points
ID: 10673571
To combat the "sniffing" you need to get on a seperate VLAN, if you are on your own vlan then no one should be able to sniff your connection-physically. If they are spanning your port... then you need to log who is logging on your switch to set that up- to see if your port is being spanned- "show span" will do the job. With luck the intruder is in your company or using a box on your lan to do all this activity. If they are sending you an email, from an account outside the company- but using a server or workstation at your company to do so... then set up a rule in iss to find them... for example, the threats are coming from  set up a rule in ISS to look for people visiting That should narrow the search down with a bit of luck, I don't use ISS so I can't tell you what the rule would look like really...

To sniff out sniffers... use a program like: (as-1021.exe is ant-sniff from l0pht industries) can also be found here

A snort rule to detect the intruder using a workstation on your network to send the email (which would be sloppy/ammature) would look like this:
alert tcp home_net any <> External_net (content:""; msg:"would-be attacker?";)

LVL 12

Assisted Solution

trywaredk earned 100 total points
ID: 10675043
Ecnrypt your email ...

An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages. 
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages. 
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages. 
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages. 
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages. 
Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages. 
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages. 
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open


Author Comment

ID: 10675411
If talking about email as example, Any Network IDS that available in the market that can sniffer the packet and re-arrange it back to the original content and attachment. My understanding IDS is just a piece of software which provide log details?????
LVL 38

Expert Comment

by:Rich Rumble
ID: 10676205
IDS' detect packet's that meet certain goal or criteria. Packet Inspecting firewalls are capable of redirecting packets, overwritting them, and various other manipulation. We use our ids to detect exploits and various other unwanted network traffic- virus's being the main target for detection. IDS stands for Intrusion Detection System- they are inteded for the most part to find "hacker" activity and policy violations on your network.

I offered a way to catch, or attempt to catch the person sniffing on your network- trywaredk is telling you how to encrypt your email. The intruder could be using any number of sniffers, the most popular are Ethereal and TcpDump.
If you put your PC on a seperate Vlan- and you still get an email about your activity, then you've got 1 of 2 things going on.
1) your pc is compromised with a key logger, remote view, or some sort of activity logging program
2) your "hacker" has the ability to span your port on the cisco switch... which means you need to change the passwords on the switch, with a laptop or pc NOT plugged into the network- and using the cisco console cable- there is no way to sniff the console cable- then reboot the switch, because if he still has a session to your switch, that will knock him off.

Scan your PC with McAfee or some other anti-virus to be sure your not compromised. Ad-Aware will also detect bunches of trojan programs. The scanners I linked to can catch NIC's sniffing the network, give them a try.

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question