Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Jan 2001 00:21:14 -0800 (PST)
From:      Matt Chew Spence <matt@nren.nasa.gov>
To:        Artem Koutchine <matrix@ipform.ru>
Cc:        <security@FreeBSD.ORG>, <questions@FreeBSD.ORG>
Subject:   Re: Antisniffer measures (digest of posts)
Message-ID:  <Pine.SUN.4.30.0101051540130.3174-100000@obivon.nren.nasa.gov>
In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru>

next in thread | previous in thread | raw e-mail | index | archive | help

  You are never going to find a perfect security solution- There will
always be some obscure exploit that someone truly skilled could exploit to
get in your system were they highly motivated to do so.  That said,  most
security incidents are crimes of opportunity, and 95% are from somebody
within the organization, not from over the internet.

The key steps are
1) determine what you are trying to protect and from whom
2) determine the worst case consequences were someone to
compromise that asset
3) determine how much time, effort, and $$ you can afford to protect it


> first:
>
> 50% of the people said "SWITCH TO SWITCHES", 50% of the
> people said: "EVEN SWITCHES CANNOT HELP"

Hubs send every incoming ethernet frame out every other interfaces;
switches maintain an internal lookup table of host MACaddress/ switchport
pairings and only forward frames onto the outbound interface approriate to
the destination.

Sniffing consists of putting a computer's ethernet interface in promiscous
mode and looking at the traffic addressed to other people passing by over
the wire.  Every unixish O/S comes with sniffing capability included, and
it is not that difficult to obtain sniffing SW for winXX, macintosh, etc.

Right now with hubs, you have a situation where pretty much anybody on
your network could start sniffing passwords for the entire network with a
small amount of knowledge and effort.  If you convert your network to
switches, most sniffers are rendered useless: only traffic appropriate to
your host is passed on your wire- there is no other traffic there to
sniff.

Now someone has figured out a way to confuse a switch and have it send
frames destined to other ports to your host.  Switches are shown not to be
immune to sniffers- however it still significantly more difficult to
compromise switches than to sniff a hub, the tools to do so are not
nearly widespread, and it takes a decent amount of technical knowledge to
do so.  It isn't (yet) script-kiddie stuff.

> Well, let me remind the situtation. I have a very heterogenic network:
> FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all
> connected with hubs, which allows sniffer to run and obtain all the mail
> and web password easily. I need to stop it.
>
> Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is
> way too expensive. It will cost us about 4000$.
>
> POSSIBLE N1:
> Switches (NON SNMP contrlllable, which do not turn into hub when flooded
> with MAC addresses), hardcorder ARP entries on hosts
> for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host).
>
> QUESTIONS:
>     Is it possible to do to hard code ARP entries in WINxxxxx?
>     Is there such switch which does not fall back into hub mode when flooded
> with MACs?

Some of the user-controllable switches allow you to set static addresses
on a per port basis and other types of security measures.  Don't think you
can find these with the price-point you are looking for, but security
costs.  But the main reason to upgrade to switches would be network
performance....


-Matt



_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Matt Chew Spence                Network Engineer/Systems Engineer
matt@nren.nasa.gov              NASA Research & Education Network
(650) 604-4550  (voice)         Ames Research Center Mail Stop 233-21
(650) 604-3080  (fax)           Moffett Field, CA 94035-1000
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.4.30.0101051540130.3174-100000>