At 11:27 AM 11/18/94 EST, Tim Williams wrote:
>>
>> > Can a PC running a sniffer that sets the ethernet card to
>> > promiscous mode be detected by same? Or other methods?
>> >
>> > Our students are getting more "educated." :(
>>
>> These sounds like it's good for your students and bad for you.
>> I do not think it possible to detect a remote machine snarfing packets.
>>
>> There is not much you can do. MS-DOG, I mean DOS, has no concept of
>> permissions. You can make small isolated subnets and threaten users with
>> stiff penalties for sniffing. In the end you will probably have to chalk
>> that subnet up as being insecure unless someone has a better solution.
>>
>
>One other possibility to keep people from using their machine to scarf packets
>from the network is to use a network card that provides access
>control between host systems (which hosts can talk to which hosts) and
>also encrypts all transfers on the network. Such a beast has been around for
>a few years (since 1985) and has been evaluated by NSA as a B2 level
>network component. The product's name is VSLAN and is sold by my company
>General Kinetics Inc. It's not cheap (about 1K per network board) so it
>might be overkill for some/most commercial situations but if you REALLY WANT
>TO BE SURE that a user can't sit back in his PC, SUN, MAC, etc. and soak up
>everything on your network then this is for you.
>
>
>Tim Williams
>
Not only is this product expensive but it's a pain in the #$%. I think you
may be better off living with the pain of a segmented/bridged net then
dealing with VSLAN.
>
******************************************************************
Mark S. Kadrich, Systems Engineer, International Network Services
"The Power of Operable Networks"
Voice @ 415-254-4225, Page @ 1-800-759-7243; PIN 879-5783
e-mail @ kadrich @
uni .
ins .
com
We must all condsider our place in the scheme of things,
least we forget its effect on our own schemes.
******************************************************************
|
|
