Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: promiscuous mode on ethernet card-question.
From: Bruce Warrington <bruce @ ancc . com>
Date: Thu, 17 Nov 94 8:24:04 CST
To: firewalls @ greatcircle . com
In-reply-to: <199411161841 . NAA04036 @ cadman . cit . buffalo . edu>; from "Jeff Murphy" at Nov 16, 94 1:41 pm
Mailer: Elm [revision: 70.85]
Office: EXEC
Phone: 312-399-8623

> >Can a PC running a sniffer that sets the ethernet card to
> >promiscous mode be detected by same? Or other methods?
>       no. promiscus mode means you are listening to everything
>       (i.e. all packets are getting processed by the kernel/driver).
>       this is a passive action, you can't tell that someone is listening,
>       because the card will not give any indication that it is doing
>       so.. sorry.

This points out the other (often unnoticed) part of your network
security - physical cable security.  There's not much point in setting
up a firewall, only to have someone come over and plug a machine into
an unprotected part of your internal lan.  This isn't just securing
the cable plant inside locked areas, it means having a your hubs and
concentrators learn the correct machine address, and lock out all
others from using the port, and setting up the additional security
available in most of the newer hubs.  It's not foolproof, but it keeps
the average prankster out.  You can also configure hubs to know that
if a machine loses the 10BASE-T link, it's locked out until your net
admin logs into the hub and resets the link.  Not fun for PC's, but
for Unix machines that should stay up 99% of the time anyway, it
prevents someone from grabbing the ethernet connection and using it
for something else, and putting it back unnoticed.  You can't snoop
unnoticed on a 10BASE-T port, since you need to send a link activation
to the hub to get it started, and the hub then marks the port as
active.  In this case, hub activation and hub security statistics can
help you find the point of access on your network.


Bruce Warrington
American National Can Corp.
Chicago, IL USA
bruce @
 ancc .
${opinions} == "my_own" && !those.of.ancc

Indexed By Date Previous: Documentation for TIS firewall
From: a . smith . kainos @ oasis . icl . co . uk
Next: Re: Them's ain't bugs
From: gbrown @ cbn . org (Greg Brown)
Indexed By Thread Previous: Re: promiscuous mode on ethernet card-question.
From: Jeff Murphy <jcmurphy @ cadman . cit . buffalo . edu>
Next: Re: promiscuous mode on ethernet card-question.
From: Ted Lemon <mellon @ ipd . wellsfargo . com>

Search Internet Search