RE: Caching a sniffer

From: Andrew Shore (andrew.shore_at_holistecs.com)
Date: 03/25/04

  • Next message: Shawn Jackson: "RE: Caching a sniffer" 
    Date: Thu, 25 Mar 2004 16:54:22 -0000
To: "Shawn Jackson" <sjackson@horizonusa.com>, "Patrick Toomey" <ptoomey3@mac.com>

    Agreed, switches can be made to give up secrets, however, as I have sub
    sequentially pointed out if ARP/CAM table poisoning is used switches
    will report moving mac address problems to their management tools and
    hence you will be able to determine where the sniffer is plugged.

    A simple syslog monitoring tool will give you this information.

    Any medium to large organisation should be using manageable network
    devices (rather than the cheap un-manged small type) and all of these
    (to my knowledge) support at least syslog free out of the box. A simple
    Linux server will then collect any data, and every company has an old PC
    they can acquire for this purpose.

    Just trying to help :)

     
    Andrew Shore
    Senior Security Specialist
    DDI. 01302 308 165
    andrew.shore@holistecs.com
     
     
     
    Company Number 04943010
    VAT Number 828 8635 82
     
     
    Holistic Technologies Ltd
    Unit 7 Shaw Wood Business Park
    Shaw Wood Way
    Doncaster
    South Yorkshire
    DN2 5TB
    T. 0870 240 1442
    F. 0870 240 1443
    www.holistecs.com
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    -----Original Message-----
    From: Shawn Jackson [mailto:sjackson@horizonusa.com]
    Sent: 25 March 2004 16:37
    To: Andrew Shore; Patrick Toomey
    Cc: security-basics@securityfocus.com; ksaenz@spinaweb.com.au;
    gillettdavid@fhda.edu
    Subject: RE: Caching a sniffer

    >A switch is not a hub/router. In fact it is a micro segmented bridge.

    It's nice I get so much attention, you all sure know how to make a man
    feel
    wanted :-). Now let the rebuttal begin.

    As my response to Fernando, which hopefully will get posted to the list
    soon
    then this message, states that switches have numerous functionality and
    systems that operate at higher layers of the OSI model then just 2. As
    with
    most network connected devices they need to have functionality on other
    layers
    besides the one where their core functionality resides. Case in point,
    bridges
    merely forward traffic destined to address on other interfaces, limiting
    broadcast
    in each segment, this is the core functionality of a switch. I will
    retract my
    earlier statement in place of this one which better suites the core
    functionality
    of the switch, in this case you guys win.

    With that stated, switches can make decisions on traffic based on IP
    information which resides at the Network layer (layer 3) of the OSI
    model, as
    opposed to MAC address information which resides at the Data-Link layer
    (layer 2) of the OSI model. Most switches provide IGMP functionality for
    systems
    to announce they multicast group membership, which is all layer 3 data.
    Some
    switches allow you to set ACL's or security based on IP information, not
    just
    MAC or layer 2 information. Some switch can also make routing or
    'gateway of last resort' decisions.

    >A switch operates at layer 2 of the OSI model i.e. MAC address layer.

    Layer 2 of the OSI model is the Data Link layer. LLC and MAC are logical
    parts
    of that layer and not layers themselves.

    >Therefore if someone has plugged a scanner into a network point they
    will not be
    >able to sniff any useful information from the network unless that
    person has admin
    >access to the switch. You can check this by ensuring that none of the
    ports on the
    >switches are in span mode

    Through ARP poising, brought up by David, and MacOf which I mentioned
    allow people
    to sniff traffic on a switched network. You don't need to be using SPAN
    to sniff
    traffic, that just the way us admins do it.

    Shawn Jackson
    Systems Administrator
    Horizon USA
    1190 Trademark Dr #107
    Reno NV 89521

    www.horizonusa.com
    Email: sjackson@horizonusa.com
    Phone: (775) 858-2338
           (800) 325-1199 x338

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Shawn Jackson: "RE: Caching a sniffer"