5

Are there ways to monitor and check for network monitoring like WireShark?

Or would it just be more ideal to ensure every application uses SSL to ensure no employee or anyone could packet sniff chats/emails for information.

Jason
  • 3,086
  • 4
  • 20
  • 24

3 Answers3

4

There is no way to do that unless you can monitor the installed programs on your users´ PCs with a software like EMCO Software scanner.

Kotzu
  • 944
  • 7
  • 10
  • 3
    Of course, this assumes that only company-approved systems are attached to the network, and nobody is using these tools from a thumb drive, and nobody would ever use a Live CD... – Iszi Apr 03 '14 at 17:01
  • Most corporate networks will use some sort of NAC to ensure that only "approved" devices that meet security policies (patch level, antivirus, etc) can get on the network. – Johnny Apr 03 '14 at 19:55
1

You can always look for those Wifi and Ethernet cards which are in promiscuous mode as these shouldn't be so. If you deploy a good AV like sophos you can block all USB ports and CD drives. Lock down privileges to certain things such as CMD, Run and maybe C:. If you deploy a proxy you can filter the undesired website into a blacklist so the user cannot reach them and download that way. That is more of an answer to prevent rather than discover but hope this helps.

Sighbah
  • 341
  • 1
  • 7
1

Using some type of network montor, network tap, ping sweep, or other traffic monitoring tool.. No, capturing traffic is generally silet unless the attacker is trying to make noise and capture the traffic.

There are sys admin tools which can monitor installed programs on authorized machines, and you can use network access control to limit unauthorized devices from accessing the network. However, it is still possible for an attacker to capture traffic. The attacker may be limited to his broadcast/routing domain based on switches, routers, VLANS if he is trying to keep quiet; however, it is possible to gain access to span port or use something like a PwnPlug at strategic point on the network. However, the more network you want to access the harder it is to stay quiet.

Generally, where possible running individual connections with encryption, whether TLS/SSL or something else, is a good way to limit eavesdropping, but there are still possibilities for compromise.

The best plan of action, is to implement multiple layers of protection. This may include IDS/IPS sensors strategically on the network, workstation application monitoring/running process monitoring tools, network access control, physical site reviews, disabling unused ports, etc.

Eric G
  • 9,691
  • 4
  • 31
  • 58