How to prevent internal intruder

I am network administrator in one of the company in malaysia, and a novice in IT security.
Lately, an internal intruder who able to sniffer the packet in my network send an email to me everyday, and telling me all the activities that i did. For eg. The content of email that i sent out by using my hotmail account, attachment file sent, the files that i transfered over my internal network.
I felt so unsecure now, i am keen to know what are the tools available that enable the internal intruder to do so, and any tools avaiable to overcome this problem. Please help............
I am using PIX firewall and ISS realsecure IDS in my network, and all kinds of cisco router and switches.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Rich RumbleConnect With a Mentor Security SamuraiCommented:
To combat the "sniffing" you need to get on a seperate VLAN, if you are on your own vlan then no one should be able to sniff your connection-physically. If they are spanning your port... then you need to log who is logging on your switch to set that up- to see if your port is being spanned- "show span" will do the job. With luck the intruder is in your company or using a box on your lan to do all this activity. If they are sending you an email, from an account outside the company- but using a server or workstation at your company to do so... then set up a rule in iss to find them... for example, the threats are coming from  set up a rule in ISS to look for people visiting That should narrow the search down with a bit of luck, I don't use ISS so I can't tell you what the rule would look like really...

To sniff out sniffers... use a program like: (as-1021.exe is ant-sniff from l0pht industries) can also be found here

A snort rule to detect the intruder using a workstation on your network to send the email (which would be sloppy/ammature) would look like this:
alert tcp home_net any <> External_net (content:""; msg:"would-be attacker?";)

trywaredkConnect With a Mentor Commented:
Ecnrypt your email ...

An Introduction to the Windows 2000 Public-Key Infrastructure - Official white paper from Microsoft that introduces PKI on Windows 2000. Focus is on the design of PKI and the differences between Enterprise Certificate Authorities and stand-alone Certificate Authorities. 20 pages. 
Certificate Autoenrollment in Windows XP - With Windows XP it is now possible to autoenroll certificates to users. This reduces the normally high costs of building and maintaining a PKI infrastructure. The entire life cycle of the certificates can be managed including enrollment, renewal and deletion of expired and revoked certificates. To gain this new feature you need a .Net Schema, updates to your Group Policies and a Windows .Net Server 2003 Enterprise Edition as an Enterprise Certificate Authority. 46 pages. 
Microsoft Windows 2000 Public Key Infrastructure - White paper from Microsoft concerning the basic functionality in PKI, and what technologies in Windows 2000 that are able to use PKI. 27 pages. 
Step-by-Step Guide to Administering Certificate Services - Nice introduction from Microsoft on Certificate Authorities. In this document you find simple practises where you install a stand-alone CA, do a backup and restore of it, issue certificates, revoke certificates and publish CRLs (Certificate Revocation Lists). 10 pages. 
Step-by-Step Guide to Public Key Features in Outlook Express 5.0 and Above - Short white paper from Microsoft on configuration ofOutlook Express 5.0 with regards to the use of certificates and encryption/signing of mails. 2 pages.
Step-by-Step Guide to Public Key Features of Outlook 2000 - If you want to send encrypted/signed mail with Outlook 2000 here's an explanation of the client side setup. 3 pages. 
Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer - Nice little overview from Microsoft going through the configuration of IE when you want certificate based authentication using TLS/SSL. Only the client side is described here. 2 pages. 
Windows 2000 Server and Key Management Server Interoperability - White paper from Microsoft on the integration of PKI and Exchange 5.5 / Exchange 2000. Thorough description of using the Key Management component on exchange to enable encryption and signing of emails. 40 pages. 
Windows XP Wireless Deployment Technology and Component Overview - This official Microsoft paper addresses Wireless technologies. It sums up the processes of connecting, authenticating and encrypting, and goes into different technologies such as RADIUS/IAS, EAP and certificates. 41 pages.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

belimAuthor Commented:
If talking about email as example, Any Network IDS that available in the market that can sniffer the packet and re-arrange it back to the original content and attachment. My understanding IDS is just a piece of software which provide log details?????
Rich RumbleSecurity SamuraiCommented:
IDS' detect packet's that meet certain goal or criteria. Packet Inspecting firewalls are capable of redirecting packets, overwritting them, and various other manipulation. We use our ids to detect exploits and various other unwanted network traffic- virus's being the main target for detection. IDS stands for Intrusion Detection System- they are inteded for the most part to find "hacker" activity and policy violations on your network.

I offered a way to catch, or attempt to catch the person sniffing on your network- trywaredk is telling you how to encrypt your email. The intruder could be using any number of sniffers, the most popular are Ethereal and TcpDump.
If you put your PC on a seperate Vlan- and you still get an email about your activity, then you've got 1 of 2 things going on.
1) your pc is compromised with a key logger, remote view, or some sort of activity logging program
2) your "hacker" has the ability to span your port on the cisco switch... which means you need to change the passwords on the switch, with a laptop or pc NOT plugged into the network- and using the cisco console cable- there is no way to sniff the console cable- then reboot the switch, because if he still has a session to your switch, that will knock him off.

Scan your PC with McAfee or some other anti-virus to be sure your not compromised. Ad-Aware will also detect bunches of trojan programs. The scanners I linked to can catch NIC's sniffing the network, give them a try.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.