From owner-freebsd-questions Fri Jan 5 15:46:38 2001 From owner-freebsd-questions@FreeBSD.ORG Fri Jan 5 15:46:31 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21]) by hub.freebsd.org (Postfix) with ESMTP id 0ABBC37B400; Fri, 5 Jan 2001 15:46:31 -0800 (PST) Received: from gte.net (evrtwa1-ar4-145-186.dsl.gtei.net [4.34.145.186]) by smtppop2pub.verizon.net with ESMTP ; id RAA80615783 Fri, 5 Jan 2001 17:45:48 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id PAA17567; Fri, 5 Jan 2001 15:46:01 -0800 (PST) (envelope-from res03db2@gte.net) Date: Fri, 5 Jan 2001 15:46:01 -0800 From: Robert Clark To: Artem Koutchine Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105154601.A17529@darkstar.gte.net> References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Fri, Jan 05, 2001 at 10:51:36PM +0300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I would look into the Intel Pro/100 S. (hardware assist 3DES 10/100 ethernet cards.) The intel site has info, but here is a site with a price listed: http://www.gotocol.com/inpro1brpcis.html This isn't necessarily better a better solution than ipsec via software, but it would not cause as much of a performance hit. I wonder if token ring suffers from this problem? 100VG? [RC] On Fri, Jan 05, 2001 at 10:51:36PM +0300, Artem Koutchine wrote: > Hello! > > I have reread all the followups on the questions i posted in the mid > december. > > first: > > 50% of the people said "SWITCH TO SWITCHES", 50% of the > people said: "EVEN SWITCHES CANNOT HELP" > > Then mostly everytone started talking about SNMP controllable > switches with hardcorded MAC addreses for each port. > > Then people started to talk about static ARP entries on the host. > > ONE (ONLY ONE) person mentioned encryption, but did not elaborate > on that. > > Well, let me remind the situtation. I have a very heterogenic network: > FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all > connected with hubs, which allows sniffer to run and obtain all the mail > and web password easily. I need to stop it. > > Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is > way too expensive. It will cost us about 4000$. > > So, as I see we two possible solutions and one probable soultion: > > POSSIBLE N1: > Switches (NON SNMP contrlllable, which do not turn into hub when flooded > with MAC addresses), hardcorder ARP entries on hosts > for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). > > QUESTIONS: > Is it possible to do to hard code ARP entries in WINxxxxx? > Is there such switch which does not fall back into hub mode when flooded > with > MACs? > > POSSIBLE N2: > Install a little FBSD/LINUX based router indetad of each hub. Put a bunch > of > NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166 > based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and > twice as expensive and a simple switch) > > QUESTIONS: > I wonder where do i get 8 IRQs for the NICs int the routing box. > Will the box with 4PCIs and 4ISA NICs be able to hold on electricwise? > > PROBABLE: > Some kind of tranparent IP encryprtion. > > QUESTIONS: > What kind of IP encryption? > Is it availbale for FBSD, Linux, WINxxxxx? > > > I hope someone would help. > > Best regards, > Artem Koutchine > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message