From owner-freebsd-net  Fri Jan  7  8:25: 2 2000
Delivered-To: freebsd-net@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id CAB6B1575C
	for <freebsd-net@FreeBSD.ORG>; Fri,  7 Jan 2000 08:24:59 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA39042;
	Fri, 7 Jan 2000 11:24:27 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Fri, 7 Jan 2000 11:24:27 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Mitch Collinsworth <mkc@Graphics.Cornell.EDU>
Cc: Wes Peters <wes@softweyr.com>, DRHAGER@de.ibm.com,
	Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>, freebsd-net@FreeBSD.ORG
Subject: Re: sniffing networks 
In-Reply-To: <200001041729.MAA16004@benge.graphics.cornell.edu>
Message-ID: <Pine.BSF.3.96.1000107111949.38886A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 4 Jan 2000, Mitch Collinsworth wrote:

> >Stick the users on switched ports so they can't sniff other users packets
> >and be done with it.
> 
> According to a friend who has done some network monitoring tests this
> is not as perfect a solution as it sounds.  He has observed packets
> coming out ports other than the one where the destination system is
> connected.  Still, everyone agrees it's far better than the old
> dozens-of-machines-in-a-single-collision-domain method.

You should not rely on switches for security unless your switch allows you
to hard-assign MAC addresses to ports on the switch, and you hard assign
IP addresses to these MAC addresses on the end hosts.

MAC addresses can be spoofed, so race conditions can exist where you
receive data for others, as well as other issues;  similarly, ARP and ICMP
redirect both occur above the switch level--switching protects messages
based on destination MAC address, not destination IP address. The best
thing to do is use real crypto, which means you no longer care about who
sees the packets.

There are still issues with leaked electromagnetic spectrum, but the
chances are you aren't interested in those attacks :-). 

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message