Firewall Wizards mailing list archives
Re: RE: Sniffing out a firewall problem
From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>
Date: Fri, 09 Nov 2001 10:04:39 +0100
There is no added value in using a switch instead of a hub. The added value comes if you configure all your server for static arp entries. It is easy to abuse the arp protocol in order to be able to sniff the whole traffic: .Keep track of all arp-query broadcast your sniffer see on the network. .Send gratuitous arp to every ip address collected and for every ip address collected on a regular basis. .This will tell every host to send traffic to your mac address. .Route the traffic to the right mac address. This way, you'll seemlessly sniff other servers traffic. Anyway, I do prefer switches, but not for the false sense of security: I like not to see too much garbage when doing snoop/tcpdump. Two point for hubs agains switches: .some well-known security vendors are not aware of these innovative devices so that their high availability solutions are not supported on switched networks. .switches are more complex then hubs and thus, more exploit-prone. I guess you known you have to disable any in-band management of your switch if you don't want trouble: cisco had security breaches in their http,telnet and snmp deamons. If you really have to implement security at these layers of a network, you'd better use some kind of switching firewall. Carl Friedberg wrote:
On a network exposed to the outside (internet) you should NEVER run a hub. A hub allows an intruder easy access to any device attached to the hub, including sniffing traffic between multiple nodes which would never be "visible" if you were using a switch. I completely agree that there is no cost reason to use a hub. There is NO reason to use a hub where security is of any concern. I might consider using a hub in a protected region behind a firewall to connect 10/hdx devices (such as a UPS monitor or similar appliance); or in a test environment; but only to make use of something which is otherwise consigned to the trash heap. Carl Friedberg carl () comets com -----Original Message----- From: Barney Wolff [mailto:barney () databus com] Sent: Wednesday, November 07, 2001 5:30 PM To: firewall-wizards () nfr com Subject: Re: [fw-wiz] RE: Sniffing out a firewall problem On Sun, Nov 04, 2001 at 06:38:36AM -0800, Gregory Hicks wrote:Half duplex? If the ratio of coll/total is 2% or less, Great! More than 10%? You've got a problem.This is at best half true. What is true is that a broken NIC or hub can cause lots of collisions. But so can a heavy load when everything is functioning normally. I have seen an Ethernet where collisions were over 100%, for months at a time, but nothing was broken and thruput was quite good. When NICs and hub are in spec, a collision wastes very little time compared to the average frame time. These days, there is little reason to run hubs rather than switches, so collisions are largely part of history. -- Barney Wolff "Nonetheless, ease and peace had left this people still curiously tough. They were, if it came to it, difficult to daunt or to kill; and they were, perhaps, so unwearyingly fond of good things not least because they could, when put to it, do without them, and could survive rough handling by grief, foe, or weather in a way that astonished those who did not know them well and looked no further than their bellies and their well-fed faces." J.R.R.T. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: RE: Sniffing out a firewall problem, (continued)
- RE: RE: Sniffing out a firewall problem Chiman (Nov 06)
- RE: RE: Sniffing out a firewall problem Anton (Nov 13)
- Re: RE: Sniffing out a firewall problem Pierre-Yves BONNETAIN (Nov 09)
- Re: RE: Sniffing out a firewall problem Peter Lukas (Nov 05)
- RE: Sniffing out a firewall -SNORT blew up registrty Chiman (Nov 06)
- Re: RE: Sniffing out a firewall problem R. DuFresne (Nov 03)
- Re: RE: Sniffing out a firewall problem Barney Wolff (Nov 08)
- Re: RE: Sniffing out a firewall problem Stephane Nasdrovisky (Nov 09)
- RE: RE: Sniffing out a firewall problem M. Dodge Mumford (Nov 09)