Re: switched n/w

[Andreas Putzo <andreas () inferno nadir org>]

Hello,

On Tuesday 07 December 2004 19:30, kaushal wrote:
> Hi,
>    Iam a bit new to network securities.We have a switched network and to
> my knowledge a hosts' data cannot be sniffed by other host by runnning
> tcpdump.But Iam receiving complaints from few users that their data is
> being changed/manipulated.Is this possible?

Yes, this is possible. One technique to sniff in a switched environment is arp 
poisoning. For example, i make a fake arp entry in the victims arp table, 
suggesting, that i am the victim's gateway. If this is successful, the victim 
will send all data to my machine. While my machine is forwarding the data to 
the correct gateway, i can sniff and even manipulate the data on the fly.

> How can I avoid this at the host level?Does this mean the server has
> been compromised?Any help or pointer in this aspect would be highly
> appreciated.

You can avoid arp attacks with static arp entries (arp -s ).
It's also possible, that some of your hosts has been compromised. You may take 
a look at the machines and/or check the network traffic for unusal arp 
traffic (e.g. with arpwatch).
What kind of data has been manipulated?
 

hth, Andreas