[PLUG] SSHing to a box behind a firewall... netcat maybe?

Sun Dec 28 18:43:02 UTC 2003

> . . . . .
> network. This is the group that should know when a host is supposed to
> be active and when it's supposed to be idle so any traffic that occurs
> during the idle period is suspect and worthy of investigation. When
> suspect traffic is detected, regardless of the destination or source
> ports, then managers are contacted, additional monitors are put into
> place and the blade starts to fall.

This remonds me of something that I had heard one evening from
a colleague of mine recently.

They worked at a firm where you had to badge in and badge out.
Sure, you can get out without badging, but, unless it was a fire
or other emergency, a security camera would take a picture of you
as you open the door without badging. The system would record your
picture, the room you just left, and the date/time.

As you badge in (swipe badge in reader) and badge out, you are
recorded in a log. The log had date, time, room/building, and
employee id.

They fed this log into a simple dbms database.

All of the servers' names, IP addresses, and mac addresses
are in yet another dbms database that also included employee
name and id for the person(s) who was responsible for it.

The desktops were on a DHCP based system. The same dbms database that
had the name and addresses for the servers also has mac address, system
id, and employee name/id for all of the desktop systems. As each
desktop system is turned on in the morning and gets its assigned
IP address, that information is entered into the dbms database. When
they turn off their system to leave for the day, the IP address is
then removed from the database and the system is marked as off line.

There was a system that 'ping' ed each active DHCP assigned IP address
periodicaly (every half hour or whatever). If no response; the IP
is marked available and taken out of the database.

The database had a fairly accurate snapshot of whos' systems are
on at any given time.

The firewalls, which were 'owned' by corporate security (and kept
in a separate double locked computer room in the data center) were
used to monitor network traffic.

The sniffers were said to be (they had no means of verifying)
modified so that if they notice traffic from one or more IP's
for over a certain time, as well as certain times during off hours
for a particular IP subnet, they would query the dbms database to
retrieve the mac address, and responsible employee contact information
for that system. Now, with the employee ID, the modified sniffer
scripts/software can access the facility entry/exit log dbms
database to determine if that employee is in fact in the facility
or had badged out.

If the person has badged out and their computer is still engaged
in traffic, and it's a desktop and not a server; then someone just
may ask a few questions to that employee the next morning.

If suspicious traffic is noted from a server; that server's system
admin contact is available. Security can easily go to management
and ask if Mark's sales prospect database server had any reason to
be maintaining an eight hour ssh session with phreak.hack.home.net
especialy when there are no active trouble tickets on the system during
that time.

Mark Allyn