4

We use Cisco ASA's firewall and NAT functions in our network (200 computers).

Is there any possibility to configure Cisco ASA to detect traffic sniffering (for example wireshark) and network inspection(for example "nmap -sP 192.168.0.*") inside our network?

There is tool called "antisniff" on linux routers, Does ASA have any analog?

Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
Arthur Elimhanov
  • 41
  • 1
  • 2
  • What is the *goal* here - do you want to secure your network, or are you anally focusing on detecting things that are undetectable by their very nature? The latter could be said to be a futile endeavour. – adaptr Aug 23 '12 at 08:11
  • The ASA does not have any builtin function to combat active sniffing, aka [ARP spoofing](http://en.wikipedia.org/wiki/ARP_spoofing) and passive sniffing is not reliably detectable. You may want to read up on ARP security on your switches. – resmon6 Aug 23 '12 at 18:21

3 Answers3

3

Packet tracing (what wireshark does) is undetectable, period. It merely reads data already present on the network and hence is entirely passive.

nmap is nothing like a sniffer - it is an active network probe that sends and receives packets.

The latter could be detected with applications such as snort; the Cisco ASA does not have this capability.

adaptr
  • 16,479
  • 21
  • 33
2

Packet sniffing is mainly a passive technology, in programs like wireshark an interface is set to promiscuous mode and all data is listened to, but not acted on. As such there's no way to detect anything like this listening inside your network. Also, any attempt to block such activity is limited by the fact the packet sniffer will be on the local subnet, unless you firewall every computer individually you wouldn't be able to block a sniffer from listening out on the network.

Bear in mind as well, though, that if you have switches approaching anywhere near decent, not all traffic will be hitting the sniffer unless you have configured a monitor port on the switches and then plug the sniffer in to this monitor port. This doesn't make sniffing entirely useless, some traffic will still hit the sniffer, but data sent from one host meant for another host entirely may not even hit the sniffer.

If you are really worried about packet sniffing inside your network your best bet is going to be to implement encryption on as many of the protocols you hold dear as possible, that way even if a packet sniffer was listening and found data, it would be unreadable.

Port scanning such as nmap accomplishes, however, is an active technology and, as such, could be detected inside the network, unless the person using it is wise enough to avoid scanning the gateway, at which point it may become undectable again depending on your switches.

<-- edit -->

As @Mike Pennington has stated, there are a few methods of detection, though only one I can see would affect wireshark, being the promiscuous mode bug in standard windows driver, read his hyperlink for more detail.

I'd be interested to see if this bug is still apparent in modern NT systems, I might give it a go myself.

I still maintain that it's a passive technology, though, and is pretty hard to detect, if at all possible (pending investigation).

Alex Berry
  • 2,307
  • 13
  • 23
1

Sniffing is a function of host-configuration. Detection of sniffers is possible using some heuristics or tools; however, these techniques rely on probes and traffic pattern detection, so this is far outside the capabilities of the ASA. Since sniffer detection relies on things like traffic patterns, smart sniffer operators can circumvent the detection techniques if they know what they're doing.

nmap is another host-level tool to detect open ports. You can block and track nmap activity using an ASA if you can quantify logging patterns to look for (see logsurfer); however, the ASA itself does not have the capability to alert on port-scanner usage, you're really analyzing the ASA logs after the fact if you want to detect port-scanning. The ASA has no built-in capabilities to detect port-scans itself.

You need a real Intrusion Detection System to do the kind of functions you're looking for.

Community
  • 1
Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
  • Passive sniffing is undetectable, period; I have no idea what you're trying to suggest here. Also, yes, the ASA does contain *some* IDS functionality, especially in the region of flood detection (which may match a port scanner's behaviour) – adaptr Aug 23 '12 at 07:58
  • 1
    @adaptr, you may want to read the document by R Spangler I linked. Under some circumstances you can detect packet sniffing. – Mike Pennington Aug 23 '12 at 08:01
  • 2
    Seriously ? Did you read what I said ? Wireshark (the product named by the OP) is a passive sniffer - it cannot be detected. In fact, your text is clearly misleading when you claim that they can all be detected. Please fix your story. – adaptr Aug 23 '12 at 08:06
  • 2
    I can't help people who won't read the pdf hyperlink cited in my answer. For those who want the summary version, one example of how packet sniffer detection is **possible**: send packets from a known hostname to all hosts on a subnet. *If* the sniffer is doing DNS lookups on the hostnames, you'll see a corresponding query for that hostname when you send the packet. **It's not foolproof, but it does detect sniffers under some circumstances** – Mike Pennington Aug 23 '12 at 08:14
  • FYI, rehosted Ryan Spangler's paper to my personal site, since the webhost originally linked was a bit unreliable – Mike Pennington Aug 23 '12 at 08:16
  • Fair enough in that respect, but wireshark does not do this although, admittedly, it is not the only packet sniffer out there. Your methods would be much more effective against monitoring tools like ntop etc that attempt to build pictures of networks by analysing all the data available to them in as much detail as possible. A standard capture > dump setup though, like wireshark, does not do DNS lookups. I would be interested to see if the windows driver in recent versions is susceptible to the promiscous bug, though. – Alex Berry Aug 23 '12 at 08:23
  • 1
    Alex, you're still missing the point. Assume dumb script-kid in your corporate network has penetrated host at 192.168.1.66. Assume I am the network engineer for this company and watch outbound traffic from my subnet and network. If I send packets to 192.168.1.66 from 192.168.1.100 and the dumb script-kid has Wireshark configured to do reverse-hostname lookups (it's the default in `wireshark` CLI and `tcpdump` in linux), then I will see PTR lookups for 192.168.1.100 within moments of me sending the packet. – Mike Pennington Aug 23 '12 at 10:21