Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Jan 2001 13:02:19 -0700 (MST)
From:      "David G. Andersen" <dga@pobox.com>
To:        matrix@ipform.ru (Artem Koutchine)
Cc:        security@FreeBSD.ORG, questions@FreeBSD.ORG
Subject:   Re: Antisniffer measures (digest of posts)
Message-ID:  <200101052002.NAA29203@faith.cs.utah.edu>
In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru> from "Artem Koutchine" at Jan 05, 2001 10:51:36 PM

next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Artem Koutchine once said:
> 
> Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is
> way too expensive. It will cost us about 4000$.
 
  Even a normal switch will help you out a fair bit against a lazy
attacker.  It's not perfect, but the steps they'll need to take to defeat
the switch will make them more noticable.  Don't let the fact that it's
not a 100% solution prevent you from taking some simple steps to _improve_
security.  Just don't rely on it alone.

  You can get decent switches quite cheaply these days.

> POSSIBLE N1:
> Switches (NON SNMP contrlllable, which do not turn into hub when flooded
> with MAC addresses), hardcorder ARP entries on hosts
> for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host).

  Good luck.  Most switches are defeatable, especially without hardcoded
MACs.  It's NOT enough security if hosts on your network are compromised.

> POSSIBLE N2:
> Install a little FBSD/LINUX  based router  indetad of each hub. Put a bunch
> of
> NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166
> based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and
> twice as expensive and a simple switch)

  Fails poorly.  Switches are more reliable, run cooler, run more quietly,
and easier to manage than a PC.  Cheaper and faster, too.  I wouldn't do
this in a million years.  Adds more hosts that can be compromised, too.
You want a nice end-to-end solution.

> QUESTIONS:
>     I wonder where do i get 8 IRQs for the NICs int the routing box.
>     Will the box with 4PCIs and 4ISA NICs be able to hold on electricwise?

  You'd need to use multiport ethernet cards, which are ~$400 for 4 ports.
It's a bad idea.

> PROBABLE:
> Some kind of tranparent IP encryprtion.
> 
> QUESTIONS:
>     What kind of IP encryption?
>     Is it availbale for FBSD, Linux, WINxxxxx?

  IPsec.  IPsec.  IPsec.  FreeBSD, Linux, Win2k support it.  Don't know
about MacOS.  Doubt it until OSX, but I could be wrong.  This is the
better solution.

  A final solution is simply to encrypt all sensitive traffic at the
application layer.  Use SSL for http/pop3/etc.  Use SSH for remote
access.  Etc.  Not perfect, but works.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101052002.NAA29203>