Date: Wed, 3 Feb 1999 09:57:55 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: James Wyatt <jwyatt@RWSystems.net> Cc: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>, security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <Pine.BSF.3.96.990203095431.27795E-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.05.9902022312000.1812-100000@kasie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Feb 1999, James Wyatt wrote:
> On Wed, 3 Feb 1999, Peter Jeremy wrote:
> > James Wyatt <jwyatt@RWSystems.net> wrote:
>
> > 2) Anyone with physical access to your network can achieve the same
> > thing with sniffer software on a laptop.
> Absoulutely. I've had folks ask about locking MAC addresses on managed
> hubs for this reason. Doesn't help when you have desktop hubs, though. It
> is another reason to unpatch unused ENet outlets as well. They can also
> install a Win32 sniffer on office boxes with Back Orifice (a really cool
> tool at times). I do what I can on my hosts and firewall the rest, but I'm
> not deluded into thinking I'm solving the world's problems. btw: If *I*
> have it on *my* laptop that's a feature... 8{)
Keep in mind also that ethernet-layer switching doesn't protect against
IP-layer spoofing and sniffing. I.e., while the switch can indeed prevent
packets destined for another ethernet address from going down the wire,
unless it speaks IP, it can't prevent me from ARPing claiming to be
another host. Now while that is easy to detect (look for strange ARPs,
hard code MACs on each host instead of using ARP, and watch for nasty
console messages :), it still works just fine in most environments where
people feel they are secure because of switching. Similarly, ICMP
redirects are fun in those environments.
> > I've seen suggestions (I can't recall where) that you might as well
> > "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of
> > network snooping (although I think this is going too far).
> As currently set, you still have to break root on a host that has the
> interfaces you want. In a switched environment, try for a boundry host.
Presumably at this point, it would be best if we relied on cryptography
instead of wire-security. However, I understand the limitations to that
(availability, CPU effects, etc). With a bpf available to a normal user,
then you do face problems with sniffing of the localhost interface and
otherwise hard-to-get-to-interfaces, and possibly better spoofing
capability.
Robert N Watson
robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C
Carnegie Mellon University http://www.cmu.edu/
TIS Labs at Network Associates, Inc. http://www.tis.com/
SafePort Network Services http://www.safeport.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990203095431.27795E-100000>