Can our firewall detect traffic sniffing inside the network?

We use Cisco ASA's firewall and NAT functions in our network (200 computers).

Is there any possibility to configure Cisco ASA to detect traffic sniffering (for example wireshark) and network inspection(for example "nmap -sP 192.168.0.*") inside our network?

There is tool called "antisniff" on linux routers, Does ASA have any analog?


Solution 1:

Packet tracing (what wireshark does) is undetectable, period. It merely reads data already present on the network and hence is entirely passive.

nmap is nothing like a sniffer - it is an active network probe that sends and receives packets.

The latter could be detected with applications such as snort; the Cisco ASA does not have this capability.

Solution 2:

Packet sniffing is mainly a passive technology, in programs like wireshark an interface is set to promiscuous mode and all data is listened to, but not acted on. As such there's no way to detect anything like this listening inside your network. Also, any attempt to block such activity is limited by the fact the packet sniffer will be on the local subnet, unless you firewall every computer individually you wouldn't be able to block a sniffer from listening out on the network.

Bear in mind as well, though, that if you have switches approaching anywhere near decent, not all traffic will be hitting the sniffer unless you have configured a monitor port on the switches and then plug the sniffer in to this monitor port. This doesn't make sniffing entirely useless, some traffic will still hit the sniffer, but data sent from one host meant for another host entirely may not even hit the sniffer.

If you are really worried about packet sniffing inside your network your best bet is going to be to implement encryption on as many of the protocols you hold dear as possible, that way even if a packet sniffer was listening and found data, it would be unreadable.

Port scanning such as nmap accomplishes, however, is an active technology and, as such, could be detected inside the network, unless the person using it is wise enough to avoid scanning the gateway, at which point it may become undectable again depending on your switches.

<-- edit -->

As @Mike Pennington has stated, there are a few methods of detection, though only one I can see would affect wireshark, being the promiscuous mode bug in standard windows driver, read his hyperlink for more detail.

I'd be interested to see if this bug is still apparent in modern NT systems, I might give it a go myself.

I still maintain that it's a passive technology, though, and is pretty hard to detect, if at all possible (pending investigation).