>On Fri, 30 Jan 1998, Doug Hughes wrote:
>> I don't think the effort would be worth it. Most sniffers are totally
>> passive devices, and by their nature, the only way to detect them
>> is physical inspection of your cable plant.
>> One thing that may be helpful in preventing hardware sniffer attachment
>> is via security enabled hubs where the MAC address of all ports is
>> hard-wired into the hub. Unused ports would be administratively disabled.
>> This will prevent somebody from unplugging a machine and plugging in a
>> sniffer. It will also prevent somebody from using an unoccupied port
>> on the off change that they would get access to the hub itself (which
>> should be in a locked closet).
>Aside from the fact that not all hubs support this, does anybody
>really have the time to do it with all the other stuff that they
>have to get done? If you or anybody else reading this can point us
>to any sites that are doing this successfully and what hubs would
>be the best to use, I think that we would all benefit. I guess it
>kind of depends on the volatility of the network you are on which
>at most places I have been is quite high.
>This message can't possibly have come from me! smrsh is not running
>so it *must* have come from somebody else going into the smtp port!!!
We like the HP hubs with the management module. You can get the hub
1) send an alarm when the MAC address changes (which doesn't really
help if the intruder assumes the MAC address of the machine)
2) shutdown the port if the MAC address changes
3) prevent passive eavesdropping on a port by only allowing packets
through to the MAC address tied to that port
4) all of the above
However, in security mode, you CANNOT daisy-chain other hubs off of
a port. the switchover from one MAC address to another is extremely
slow and results in lost connectivity for all daisy-chained hosts.
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
* Reply to me, or reply to the list, but please don't do both.