[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do you catch a firewall intruder/extruder?

Posted on 2007-10-12
12
Medium Priority
?
427 Views
Last Modified: 2010-04-11
How can I tell what software or hardware that is used to get around or through our fire wall? We have someone at our office that has been bragging about going to any wed site he wants. We have Sonicwall in place at our location and our internet providers site. We have Symantec Enterprise for small businesses running on the server. We are finding reminants of web sites on the server. If we look at his coputer it is clean no cookies, trails or anything, just like he had never been on the internet. We installed Belarc on his computer and he found it and disabled it. With no proof what can I do? We have had 2 viruses in the last six months, the last one this week. We were shut down for a day and a half. Our IT guys have scoured his computer and can find nothing. Is there a way that I could set up, install or what ever to track his station IP? My boss says no proof them we can do nothing. When he leaves at night his computer is defragged, cleaned, it looks almost like a new installation.
0
Comment
Question by:maxdent01
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 6

Accepted Solution

by:
karlwilbur earned 1000 total points
ID: 20069933
You could use a packet sniffer like Wireshark ( formerly Ethereal ... http://www.wireshark.org/ ) and have it listen to all traffic from his IP.  You'd need to have the system running Wireshark on a hub to get all traffic. You IT guys should understand how and why. Or, if not hub, install an inline tap on the network cable ( these can be made from $10US worth of material from any Home Depot-like hardware store )

There is also the option of running something like VNC in listen only mode and recording his actions with a screen recorder.

I am not sure of the legal implications but I think that you company policy should have description of how far IT can go to monitor how employees are using the company resources.
0
 
LVL 6

Expert Comment

by:karlwilbur
ID: 20069936
Sorry, I meant to mention this too:

I have been is situations where the firewall would not let me connect to various sites so I created a tunnel to offsite systems and bounced my web requests off these systems thus bypassing the firewall controls. These kind of connections are not likely to be caught by a Sonicwall.

Also, when you say that "We are finding reminants of web sites on the server." are saying that he is browsing from the server?
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 1000 total points
ID: 20070023
Hi,

First of all it seems that the guy has a administrator account on his computer so that he can install / uninstall anything as he wishes. I believe noone in a corporte environments should have this type of account. To secure his computer:
- First of all go to BIOS setup and enable administrative password. So that he can not change boot order etc. to circumvent your settings.
- Then if you have Active Directory apply more restrictive settings and convert his account to a normal user with disabling control panel, ie settings, network settings etc.
- It you don't have Active Directory then convert his accont to a limited account such as power user or restricted user.
   - Delete all unnnecessary accounts
   - Assign password to default administrator account called Administrator.
- Then install whatever software you want to monitor his actions.
- Search any cokie cleaners, anonymizing proxy programs, VPN, SSH tunneling applications  etc. software and uninstall them
- Restirct access to servers. If he need to access to the server then setup a restricted account for him.
- Monitor your outgoing traffic with a packet sniffer. But in this case you'll need a dumb hub or something like that to monitor the internet out port.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:maxdent01
ID: 20070234
He does not have admin rights. Our IT guy thought that his 'tunnel' may be using our server to get out. This is confusing to me. He thinks this is a big game. But so far a payroll of approx 4k/hour x 15 hours + 120/hr for the IT people taking the server and fining the only thing wrong was that the drives had been disconnected (not physically) from the server. I'd like to just take him to the parking lot and solve the problem myself.
I will try these suggestions and report back within the next few days.
Thanks for all of the suggestions.
Max
0
 
LVL 9

Expert Comment

by:ghostdog74
ID: 20070249
you should also audit your firewall rules. do you have multiple access points to the internet?
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20070561
A "firewall" is normally only configured to stop people getting in as opposed to stopping people getting out - and its not clear from your question if the firewall has any form of outward port/protocol blocking in place.   Another aspect that of your question that is a little confusing is that you say there is also a sonic firewall in place at "internet providers site" - do you mean your ISP or is this another corporate office connected by VPN - and in which case what log files are used to establish who is doing what. Finally, you have not mentioned whether there is any form of proxy service running at your perimeter internet connection - which again would be normal in a corporate environment - but you talk about "remenants of sites" on a server which kind of implies there is perhaps some sort of proxy in place.

Regardless, of the other anomolies in your question,  no matter what type of user this person is (admin/power/etc) they probably have access to Remote Desktop Connection  as this is an integral part of Windows from 2000 onwards (or failing that a variation of VNC or Crossloop that use standard HTTP protocol) and using this that they could quite easily remotely connect to a PC at their home or whereever and browse the web using that remote PC. In such a case nothing would appear in the temporary Internet files/cache of the local PC - nor would there be anything obviously occuring in your firewall logs - other than HTTP traffic on the offending PC.

Someone passing the PC while it is in use could quite easily believe the person is browsing the web using the local PC - when in fact they are not - and similarly a quick press of the Alt-Tab key would hide the Remote Connection and bring the local PC's screen back in focus.

It is more often than not the most simplest of things that get overlooked when trying to catch someone you believe to be clever!
0
 

Author Comment

by:maxdent01
ID: 20070835
To clear up some of your questions:
1) the sonicwall is in place at our IT's office as they are our Domain server. We also have a box, tied to they, in our office. They see no problems on their end.
2) we do have remote access set up for them to our server. The password is changed on a regular basis.
3) sonicwall is set to block any web sites that have anything to do with sex, violence, gambling and a few others. Also some web sites by name are blocked.
4) I am not sure what the IT guy means by remenants of the sites. The password on the sonicwall and server is changed on a regular basis also, only three people know the passwords; IT, myself and my boss.
5) we have given him only rights that pertain to his machine and to the licence of software that he uses for the company. His rights are supposed to NOT let him install anything on his station without one of the above three giving him permission.

Beyond that I do not know what else can be done. I have forwarded all of the suggestions to our IT people also. I will not know until monday if any of these suggestions will work. also he works in a position that you can come up from behind him without him knowing before hand. (Our IT guy suggested moving him so that his back is exposed to anyone walking by. but the boss said that was not an option without some proof).

Thanks
Max
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 20070953
Hi you say:

As far as I can understand:
- You say "5) we have given him only rights that pertain to his machine and to the licence of software that he uses for the company. His rights are supposed to NOT let him install anything on his station without one of the above three giving him permission." But you also had previously mentioned that you'd installed Belarc on his computer but he managed to "disable" it. To disable it he needs to be an administrator for he'll be stopping the service, deleting the service file (which will be busy when active).
- He is accessing the server while he does not have authority to do so. Hece you find "remnnats of websites" there.
- As far a I understand these remnants belong to some sites which is in violation of your policies.
- Since it is obvious that if he were accessing those sites from the server directly your sonicwall would block him.
- Probably he is bypassing your sonicwall check via an outside proxy anonymizer etc. So that sonicwal thinks he is connecting a site which is not in sonicwall lists hile he is using this server as a proxy.
- This explains why you never find anything out of usual on his computer. becasue he acess internet through your server not over his client computer.
- He might be exploiting a vulnerability or something to access the server.

I think you need some administrative action too such as:
- Some Acceptable USe policy on corporate computers nad his personal workstation that will also state the conditions on termination of his job.
- Some NDA
etc.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 20072636
BTW

> I'd like to just take him to the parking lot and solve the problem myself.
In IT world this is called "Physical Access Control" :))))) or "Mandatory Access Control"
0
 

Author Comment

by:maxdent01
ID: 20079180
"Physical Access Control" sounds real good except that thanks to you (KeremE) and karlwilbur he is no longer a treat. I told the IT people about the tunnel stuff and then the proxy anonymizer. They started watching for signs of those type of things and BINGO! He's GONE!!!

Thank all of you guys for your help. I have been a member for several years. I am not smart enough to help others, but I keep you guys busy with my problems.
BEST regards,
Max
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 20079339
Yr welcome :) And I really liked your Physical Access control I'll suggest it to fellow Sys Admins in the future as an option.

Take care.
0
 
LVL 6

Expert Comment

by:karlwilbur
ID: 20079389
Glad my experience could provide some assistance to sysadmins somewhere (as I am sure that it has caused similar headaches to others elsewhere).
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question