Firewalls: Re: anti-sniffer warfare

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: anti-sniffer warfare
From:	Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Date:	Mon, 2 Feb 1998 08:21:54 -0600
To:	firewalls @ greatcircle . com
In-reply-to:	<Pine . SOL . 3 . 91 . 980131225938 . 6474E-100000 @ icarus . weber . edu>


>On Fri, 30 Jan 1998, Doug Hughes wrote:
>
>
>> I don't think the effort would be worth it.  Most sniffers are totally
>> passive devices, and by their nature, the only way to detect them
>> is physical inspection of your cable plant.
>
>Correct.
> 
>>  One thing that may be helpful in preventing hardware sniffer attachment
>> is via security enabled hubs where the MAC address of all ports is
>> hard-wired into the hub.  Unused ports would be administratively disabled.
>> This will prevent somebody from unplugging a machine and plugging in a
>> sniffer. It will also prevent somebody from using an unoccupied port
>> on the off change that they would get access to the hub itself (which
>> should be in a locked closet).
>
>Aside from the fact that not all hubs support this, does anybody
>really have the time to do it with all the other stuff that they
>have to get done? If you or anybody else reading this can point us
>to any sites that are doing this successfully and what hubs would
>be the best to use, I think that we would all benefit. I guess it
>kind of depends on the volatility of the network you are on which
>at most places I have been is quite high.
>
>
>The Hobbit
>
>This message can't possibly have come from me! smrsh is not running
>so it *must* have come from somebody else going into the smtp port!!!
>

We like the HP hubs with the management module. You can get the hub
port to
1) send an alarm when the MAC address changes (which doesn't really
help if the intruder assumes the MAC address of the machine)
2) shutdown the port if the MAC address changes
3) prevent passive eavesdropping on a port by only allowing packets
through to the MAC address tied to that port
4) all of the above

However, in security mode, you CANNOT daisy-chain other hubs off of
a port. the switchover from one MAC address to another is extremely
slow and results in lost connectivity for all daisy-chained hosts.



--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug @
 eng .
 auburn .
 edu
* Reply to me, or reply to the list, but please don't do both.

References:

Re: anti-sniffer warfare
From: Henry Hertz Hobbit <hhhobbit @ icarus . weber . edu>

Indexed By Date	Previous:	Re: Firewalls-Digest V7 #47 From: Peter Morissey <ppmorris @ syr . edu>
Indexed By Date	Next:	Wrong addres !!! Please change... From: Geert Surkijn <geert . surkijn @ area013 . be>
Indexed By Thread	Previous:	Re: anti-sniffer warfare From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Next:	Re: anti-sniffer warfare From: Marc Heuse <Marc . Heuse @ mail . DeuBa . COM>