Re: Network Monitoring and Control (announcement)

[mcn () EnGarde com (Mike Neuman)]

> From owner-bugtraq () fc net Fri Mar 31 07:07:08 1995

> > packet file which can later be replayed through Watcher. Most importantly,
> > Watcher allows the admin to CONTROL network users by instantly terminating
> > any connection, setting up makeshift firewalls, or even TAKING OVER 
> > (hijacking) any connection. 
>
> Sounds ok if your charged with providing security for a corporate, 
> government or military site, but in the case of pay commercial hosts this 
> should be illiegal, if not downright immoral.  How much privacy should I 
> expect from a provider?  I mean I am paying for services, and there was 
> some limited agreement to services.  I think you better put in a 
> statement saying YOUR SESSION WILL BE WATCHED AND IF WE FEEL YOU'RE 
> BEING POLITCALLY INCORRECT WE WILL TAKE OVER YOUR SESSION.

  The Department of Justice's official standpoint is as long as you are
monitoring activity involving at least one of YOUR OWN machines, and you 
put a banner up (similar to the CERT recommended banner described in CA-92:19), 
you've protected yourself legally, and you are justified in monitoring.

  If your ISP signs a contract with you saying that you're guaranteed of
privacy, they're going to have SERIOUS security problems, but I would assume
you could sue them if they violate that agreement. What sort of damages you
would win, I have no idea...

> Once we get everyone on Gore's Information Super Highway, this will be a 
> great tool for the government to use to help use maintain control of our 
> lives.

  The government doesn't have time to control our lives. They're all out
trying to find new jobs.

  Granted, this could be used in a way similar to AOL's facist policy of
censoring newsgroups and mail, but that's AOL's choice (or whomever). If
you don't like their policy, sign up with another ISP!

> Sure it a great hacking tool, and I wouldn't mind seeing a copy, but 
> aside from the corporate/government use, I don't see where it has a 
> jusitifable use.

  Primarily this tool will be useful to businesses and government who wish
to protect their systems. Watcher CAN also be used to help users with
problems, although for small ISPs, it may just be easier to log into their
(one or two) servers and run TAP or Advise or something.

> Also, technically, what kind of overhead does it pull on a 2,000 user 
> network?  Does connection speed and processor load suffer?

  Since it's a passive network monitor, there's no way it will affect the
network UNTIL you start using the active countermeasures. Once you do:
Terminate connection: 2 additional packets
Start Xterm: 3 additional packets
Take Over connection: depends on how much data you and the server send.

  So, the network load is negligable. Processor load 'suffers' only on the 
monitoring machine. Presumably, the network monitor will be a separate 
security platform, or some other service platform where auditing, logging, 
and other critical services are performed. This may not be reasonable
assumption for small businesses who can't afford another machine, but then
they probably wouldn't have that many machines to protect in the first place
anyway.

  In any case, on an overloaded (around 500 active connections), my Sparc 10's
CPU graph never got above 5%. Packet loss was also still at 0%, but that's
because I was using BPF, rather than NIT. I don't have any benchmarks for DLPI,
but it's STREAMS based, so I'm guessing it's as bad as NIT. (On that same
network, NIT packet loss was consistant at around 4%)

> Am I the only one who feels this is an invasion of privacy?  

  It can be used to invade privacy. But, if the policy of the company/agency
is that user's should have no assumption of privacy, then it's not a problem.
ISP's may have a harder time dealing with this than other companies or
government agencies. But that's something they need to work out for themselves.
The vast majority of potential users of Watcher are people who need to
protect their systems from outside attackers. ISPs are probably the most
often targetted, but at the same time, generally have the least to lose 
(compared to companies with proprietary or other sensitive data online).

Hope that helps some...

-Mike
--
Mike Neuman (mcn () EnGarde com) - EN GARDE SYSTEMS - Computer Security Consulting
http://www.c3.lanl.gov/~mcn   - http://www.cec.wustl.edu/~dmm2/egs/egs.html
===============================================================================
"Most of these should be 'void', but the people who defined the STREAMS
 data structures for S[ystem] 5 didn't understand data types." - Solaris source