Re: Risks of File Transfer on a Fully Switched Network

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Sadler, Connie wrote:
> I am being told that the risk of transferring sensitive files over our
> InTRAnet is so low that we should not require encryption for these
> internal file transfers. Transferring over the Internet in the clear is
> clearly a problem, but are others willing to share your position on the
> transmission of sensitive data in the clear internally (assuming a fully
> switched network)??
There are many tools and techniques that can fool switches into spraying
traffic all over the network.  Switches are not designed as security
devices, they are designed to work in a nice 'sane' environment.

If you don't want people to intercept data while in transit across your
network then you must encrypt it.  End of story.

Aside:

To some extent the same argument applies to VLANs but at least most
vendors treat VLANs as security technology and try to engineer them to
withstand attack.  (Speaking as one who is currently involved in a major
project to partition our internal network using VLANs and virtual
firewalls).  VLANs do buy you more security but no where near as much as
the vendors would like have you believe.

Russell.

Cheers, Russell