From owner-freebsd-security  Sun Oct 28 11:50:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27])
	by hub.freebsd.org (Postfix) with ESMTP id CC20F37B407
	for <security@FreeBSD.ORG>; Sun, 28 Oct 2001 11:50:40 -0800 (PST)
Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1])
	by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id GAA24527;
	Mon, 29 Oct 2001 06:50:01 +1100 (EDT)
Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au
 (PMDF V5.2-32 #37640) with ESMTP id <01KA2BKR9FDSVLL94M@cim.alcatel.com.au>;
 Mon, 29 Oct 2001 06:50:00 +1000
Received: (from jeremyp@localhost)	by gsmx07.alcatel.com.au (8.11.1/8.11.1)
 id f9SJnxB90775; Mon, 29 Oct 2001 06:49:59 +1100 (EST envelope-from jeremyp)
Content-return: prohibited
Date: Mon, 29 Oct 2001 06:49:59 +1100
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
Subject: Re: access from monitoring host
In-reply-to: <Pine.BSF.4.21.0110022254010.428-100000@lhotse.zaraska.dhs.org>;
 from kzaraska@student.uci.agh.edu.pl on Tue, Oct 02, 2001 at 11:03:23PM +0200
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
Cc: Alexey Koptsevich <alex@astro.su.se>, security@FreeBSD.ORG
Mail-Followup-To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>,
	Alexey Koptsevich <alex@astro.su.se>, security@FreeBSD.ORG
Message-id: <20011029064959.E75481@gsmx07.alcatel.com.au>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-disposition: inline
User-Agent: Mutt/1.2.5i
References: <Pine.GSO.4.10.10110021523540.18156-100000@dioscuri.astro.su.se>
 <Pine.BSF.4.21.0110022254010.428-100000@lhotse.zaraska.dhs.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Oct 02, 2001 at 11:03:23PM +0200, Krzysztof Zaraska wrote:
>On Tue, 2 Oct 2001, Alexey Koptsevich wrote:
>> I dp not understand, why access method should be different in cases when
>> monitoring host is behind the switch or connected through the hub?
>If your network is connected with a switch then all traffic between hosts
>A and B is not visible by any other host;

Note that you should not rely on a switch for security - switch
behaviour is designed to reduce network traffic, not provide security.

Unless you hard-wire the MAC address(es) on each switch port, it's
fairly easy (though detectable) to fool a switch into sending you
traffic intended for another node (by claiming that your computer has
the MAC address belonging to the computer you want to see traffic
for).  You can also flood the switch with different MAC addresses -
once you overload its MAC CAM, it will forward packets on all ports
until it re-learns the MAC addresses.

If you can break into the switch, most (all?) manageable switches have
the ability to mirror one port onto another (for network trouble-
shooting).  You can simply mirror the port you want to snoop onto your
port.

Peter

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message