Firewalls: Re: anti-sniffer warfare

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: anti-sniffer warfare
From:	Rabid Wombat <wombat @ mcfeely . bsfs . org>
Date:	Sat, 31 Jan 1998 23:56:27 -0500 (EST)
To:	Henry Hertz Hobbit <hhhobbit @ icarus . weber . edu>
Cc:	Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>, firewalls @ GreatCircle . COM
In-reply-to:	<Pine . SOL . 3 . 91 . 980131225938 . 6474E-100000 @ icarus . weber . edu>

I have set up secure LANs using both Synoptics/Bay Networks and 3Com 
hubs. Setting this up is not difficult; administering it long-term in a 
large environment is.

You need a well-documented cable plant, end stations documented by user, 
location, cable drop, MAC address and IP address, and, of course, your 
hubs documented by location, cable drop-to-port and MAC address-to-port. 
You need a system that allows your records to be maintained accurately by 
your staff.

Your users and help desk will need to know that only a specific system is 
permitted on a specific port, and your maintenance technicians will need 
to know that swapping out a NIC, PC, etc. will require that the MAC 
address assigned to a given port will also need to be changed. When you 
think of "standard" swap-out troubleshooting procedures, you can see why 
this is a problem. 

-r.w.

On Sat, 31 Jan 1998, Henry Hertz Hobbit wrote:

> On Fri, 30 Jan 1998, Doug Hughes wrote:
> 
> 
> > I don't think the effort would be worth it.  Most sniffers are totally
> > passive devices, and by their nature, the only way to detect them
> > is physical inspection of your cable plant.
> 
> Correct.
>  
> >  One thing that may be helpful in preventing hardware sniffer attachment
> > is via security enabled hubs where the MAC address of all ports is
> > hard-wired into the hub.  Unused ports would be administratively disabled.
> > This will prevent somebody from unplugging a machine and plugging in a
> > sniffer. It will also prevent somebody from using an unoccupied port
> > on the off change that they would get access to the hub itself (which
> > should be in a locked closet).
> 
> Aside from the fact that not all hubs support this, does anybody
> really have the time to do it with all the other stuff that they
> have to get done? If you or anybody else reading this can point us
> to any sites that are doing this successfully and what hubs would
> be the best to use, I think that we would all benefit. I guess it
> kind of depends on the volatility of the network you are on which
> at most places I have been is quite high.
> 
> 
> The Hobbit
> 
> This message can't possibly have come from me! smrsh is not running
> so it *must* have come from somebody else going into the smtp port!!!
>

Follow-Ups:

Re: anti-sniffer warfare
From: "Paul D. Robertson" <proberts @ clark . net>

References:

Re: anti-sniffer warfare
From: Henry Hertz Hobbit <hhhobbit @ icarus . weber . edu>

Indexed By Date	Previous:	Re: banned URL list required -Reply From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Indexed By Date	Next:	Re: Sniffer tools From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Indexed By Thread	Previous:	Re: anti-sniffer warfare From: Peter da Silva <peter @ baileynm . com>
Indexed By Thread	Next:	Re: anti-sniffer warfare From: "Paul D. Robertson" <proberts @ clark . net>