Date: Fri, 05 Jan 2001 22:24:08 -0700 From: Wes Peters <wes@softweyr.com> To: Artem Koutchine <matrix@ipform.ru> Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <3A56ABF8.90C9F0D8@softweyr.com> References: <000701c07750$eb585e60$0c00a8c0@ipform.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Artem Koutchine wrote:
>
> Hello!
>
> I have reread all the followups on the questions i posted in the mid
> december.
>
> first:
>
> 50% of the people said "SWITCH TO SWITCHES", 50% of the
> people said: "EVEN SWITCHES CANNOT HELP"
Switches won't solve your problem 100%. They will keep MOST of your
traffic off the other users ethernet ports; only broadcast or multicast
traffic will reach them.
> Then mostly everytone started talking about SNMP controllable
> switches with hardcorded MAC addreses for each port.
SNMP is not the important part here; what you're looking for is a smart
switch that allows you to control the behavior of the network. Some
smart switches will allow you to configure exactly what MAC addresses
are allowed on a port, other MAC addresses will be ignored.
> Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is
> way too expensive. It will cost us about 4000$.
You don't say how many users you need to support. The HP4000M switch
sells for $1800 and has 40 10/100 ports; it can be expanded to support
another 40 10/100 ports in 5-port increments.
On the other hand, the rest of us really don't give a damn what you
will or won't do, or consider crazy. If you ask for help, then reject
the answers, please do so politely. If it doesn't fit your budget,
just say so and keep you psychological opinions to yourself.
> So, as I see we two possible solutions and one probable soultion:
>
> POSSIBLE N1:
> Switches (NON SNMP contrlllable, which do not turn into hub when flooded
> with MAC addresses), hardcorder ARP entries on hosts
> for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host).
>
> QUESTIONS:
> Is it possible to do to hard code ARP entries in WINxxxxx?
I don't know, nor do I care.
> Is there such switch which does not fall back into hub mode when flooded
> with
> MACs?
A non-manageable switch that does this? No. What you're asking for is just
now how Ethernet works. If you want users to not sniff your network, have it
written into your acceptable use policy that they get fired, thrown out of
school, or beaten to a bloody pulp (as appropriate) if they use a sniffer
on your network.
> POSSIBLE N2:
> Install a little FBSD/LINUX based router indetad of each hub. Put a bunch
> of
> NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166
> based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and
> twice as expensive and a simple switch)
This is a really bad idea. Search the mailing list archives for "receive
livelock" to learn why a generic PCI machine with lots of 100BaseTX
interfaces is a lockup waiting to happen.
> PROBABLE:
> Some kind of tranparent IP encryprtion.
>
> QUESTIONS:
> What kind of IP encryption?
> Is it availbale for FBSD, Linux, WINxxxxx?
For some definition of xxxxx, yes. For Win95, no. You could probably buy
an add-on product for several different varieties of Wankers that are
supposed to support IPsec. If you think that'll cost less than buying
a switch, you're CRAZY.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A56ABF8.90C9F0D8>