Re: RE: Sniffing out a firewall problem

["Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>]

There is no added value in using a switch instead of a hub. The added value
comes if you configure all your server for static arp entries. It is easy to
abuse the arp protocol in order to be able to sniff the whole traffic:

.Keep track of all arp-query broadcast your sniffer see on the network.
.Send gratuitous arp to every ip address collected and for every ip address
collected on a regular basis.
.This will tell every host to send traffic to your mac address.
.Route the traffic to the right mac address.

This way, you'll seemlessly sniff other servers traffic.

Anyway, I do prefer switches, but not for the false sense of security: I
like not to see too much garbage when doing snoop/tcpdump.

Two point for hubs agains switches:
.some well-known security vendors are not aware of these innovative devices
so that their high availability solutions are not supported on switched
networks.
.switches are more complex then hubs and thus, more exploit-prone. I guess
you known you have to disable any in-band management of your switch if you
don't want trouble: cisco had security breaches in their http,telnet and
snmp deamons.

If you really have to implement security at these layers of a network, you'd
better use some kind of switching firewall.

Carl Friedberg wrote:

> On a network exposed to the outside (internet) you should NEVER run a
> hub. A hub allows an intruder easy access to any device attached to the
> hub, including sniffing traffic between multiple nodes which would never
> be "visible" if you were using a switch.
>
> I completely agree that there is no cost reason to use a hub. There is
> NO reason to use a hub where security is of any concern.
>
> I might consider using a hub in a protected region behind a firewall to
> connect 10/hdx devices (such as a UPS monitor or similar appliance); or
> in a test environment; but only to make use of something which is
> otherwise consigned to the trash heap.
>
> Carl Friedberg
> carl () comets com
>
> -----Original Message-----
> From: Barney Wolff [mailto:barney () databus com]
> Sent: Wednesday, November 07, 2001 5:30 PM
> To: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] RE: Sniffing out a firewall problem
>
> On Sun, Nov 04, 2001 at 06:38:36AM -0800, Gregory Hicks wrote:
> > Half duplex?  If the ratio of coll/total is 2% or less, Great!  More
> > than 10%?  You've got a problem.
>
> This is at best half true.  What is true is that a broken NIC or hub can
> cause lots of collisions.  But so can a heavy load when everything is
> functioning normally.  I have seen an Ethernet where collisions were
> over 100%, for months at a time, but nothing was broken and thruput was
> quite good.  When NICs and hub are in spec, a collision wastes very
> little time compared to the average frame time.
>
> These days, there is little reason to run hubs rather than switches, so
> collisions are largely part of history.
> --
> Barney Wolff
>
> "Nonetheless, ease and peace had left this people still curiously tough.
> They were, if it came to it, difficult to daunt or to kill; and they
> were, perhaps, so unwearyingly fond of good things not least because
> they could, when put to it, do without them, and could survive rough
> handling by grief, foe, or weather in a way that astonished those who
> did not know them well and looked no further than their bellies and
> their well-fed faces." J.R.R.T.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards