All this does is slow the intruder down! Even with a switch or a "secure
hub", you still have to worry about point-to-point sniffing. An intruder
who gets into Box A can sniff any connections made from or to it. Once
someone telnets from A to B, now the intruder has access to Box B, gets
root on it, and now he/she has two sniffers running. From there, it
snowballs. True, it's slower than sniffing a shared physical medium, but
you're still going down.
> On 8 Oct 1996, Ryan Russell/SYBASE wrote:
> Just buy a switch. It would be cheaper, and give
> you more functionality.
> I've never seen any info on a "secure hub." Do you
> have the name of a manufacturer of one?
> ---------- Previous Message ----------
> To: brads
> cc: genel, esakov, firewalls
> From: wombat @ mcfeely.bsfs.org (Rabid Wombat) @ smtp
> Date: 10/07/96 08:00:32 PM
> Subject: Re: Sniffer detection.
> Much more secure to implement secure hubs and be done with it.
> For those who don't know what these are, they overwrite the data portion
> of the packet (from layer two inward) on a copy of the packet - the port
> handling the MAC address of the recipient gets the real packet, and all
> other ports xmit the copy w/ the overwritten data, to comply w/ ethernet
> rules requiring everyone to "see" the packet.
> If a sniffer is placed on such a segment, all they will be able to do is
> get a list of MAC addresses and measure traffic volume to each.
> Not a bad addition to your bastion segment, in addition to internal use.
> On Mon, 7 Oct 1996, Bradley Smith wrote:
> > Point taken, but if an unauthorized individual has the opportunity to
> > physically jack into your network like that, I would say that getting your
> > packets sniffed is probably the least of your worries.
> > As a side note, I've heard here and there that NIC's are available that
> > cannot be operated in promiscuous mode. Does anyone have experience with
> > these devices? Or can tell me what vendor(s) are manufacturing?
> > -brad
> > On Mon, 7 Oct 1996, Gene Lee wrote:
> > > Bradley Smith wrote:
> > > > I used to do something very basic for this. There are several code
> > > > snippets available to get interface values (i.e. cpm, ifstatus). I'd run
> > > > these from cron, mail results to file, tail file with swatch and look for
> > > > a lexical string indicating the interface was in prom (sp) mode.
> > > >
> > > > If the status code returned indicated a "sniffer," I'd mail the results to
> > > > my pager and shut the interface down. You could get even more creative
> > > > than this with netstats, reverse finger, etc..
> > >
> > > This is fine for unix machines which you have administative control
> > > over, but what about a rogue PC notebook running DataGlance or LANAlyzer
> > > inserted into your Ethernet network somewhere on the wire? Also keep in
> > > mind some NICs are custom built to not broadcast the fact that they are
> > > in promiscuous mode. The only way to detect something like this would be
> > > to physically check each interface connected to your network.
> > >
> > > --
> > > Gene Lee
> > > genel @
> > > genelee @
> > >