Date: Mon, 8 Jan 2001 00:21:14 -0800 (PST) From: Matt Chew Spence <matt@nren.nasa.gov> To: Artem Koutchine <matrix@ipform.ru> Cc: <security@FreeBSD.ORG>, <questions@FreeBSD.ORG> Subject: Re: Antisniffer measures (digest of posts) Message-ID: <Pine.SUN.4.30.0101051540130.3174-100000@obivon.nren.nasa.gov> In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
You are never going to find a perfect security solution- There will always be some obscure exploit that someone truly skilled could exploit to get in your system were they highly motivated to do so. That said, most security incidents are crimes of opportunity, and 95% are from somebody within the organization, not from over the internet. The key steps are 1) determine what you are trying to protect and from whom 2) determine the worst case consequences were someone to compromise that asset 3) determine how much time, effort, and $$ you can afford to protect it > first: > > 50% of the people said "SWITCH TO SWITCHES", 50% of the > people said: "EVEN SWITCHES CANNOT HELP" Hubs send every incoming ethernet frame out every other interfaces; switches maintain an internal lookup table of host MACaddress/ switchport pairings and only forward frames onto the outbound interface approriate to the destination. Sniffing consists of putting a computer's ethernet interface in promiscous mode and looking at the traffic addressed to other people passing by over the wire. Every unixish O/S comes with sniffing capability included, and it is not that difficult to obtain sniffing SW for winXX, macintosh, etc. Right now with hubs, you have a situation where pretty much anybody on your network could start sniffing passwords for the entire network with a small amount of knowledge and effort. If you convert your network to switches, most sniffers are rendered useless: only traffic appropriate to your host is passed on your wire- there is no other traffic there to sniff. Now someone has figured out a way to confuse a switch and have it send frames destined to other ports to your host. Switches are shown not to be immune to sniffers- however it still significantly more difficult to compromise switches than to sniff a hub, the tools to do so are not nearly widespread, and it takes a decent amount of technical knowledge to do so. It isn't (yet) script-kiddie stuff. > Well, let me remind the situtation. I have a very heterogenic network: > FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all > connected with hubs, which allows sniffer to run and obtain all the mail > and web password easily. I need to stop it. > > Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is > way too expensive. It will cost us about 4000$. > > POSSIBLE N1: > Switches (NON SNMP contrlllable, which do not turn into hub when flooded > with MAC addresses), hardcorder ARP entries on hosts > for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). > > QUESTIONS: > Is it possible to do to hard code ARP entries in WINxxxxx? > Is there such switch which does not fall back into hub mode when flooded > with MACs? Some of the user-controllable switches allow you to set static addresses on a per port basis and other types of security measures. Don't think you can find these with the price-point you are looking for, but security costs. But the main reason to upgrade to switches would be network performance.... -Matt _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Matt Chew Spence Network Engineer/Systems Engineer matt@nren.nasa.gov NASA Research & Education Network (650) 604-4550 (voice) Ames Research Center Mail Stop 233-21 (650) 604-3080 (fax) Moffett Field, CA 94035-1000 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.4.30.0101051540130.3174-100000>