Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux

From: Phil Paradis <Phil.Paradis@xxxxxxxxxxxxxx>
Date: Sat, 20 Mar 2010 19:43:05 -0700
> But, is it really good or bad to have a linux kernel that drops
> packets that are not destined for that ethernet address. Are there
> too many drawbacks that outweigh the advantages due to the
> presence of such weakness in linux TCP/IP stack ?
> Isn't prevention of sniffing more important ?

No, actually it isn't. Eliminating security-related bugs in network software is FAR more important than preventing sniffing. If such bugs were left in place for that reason, two things would happen:

1. The smart criminals would fix the bug themselves. (Linux is open-source, after all.) 
2. Someone would find a way to exploit the bug to do much more than detect sniffers.

> > If you have a problem with users in your network running sniffers and
> > using this to gain access to data they shouldnt have access to
> > you have bigger problems than just the presence of sniffers.

This is a good point; if you know who is responsible, you should sack them at once. If not, it should be reasonably easy to find them; capturing point-to-point data in a switched network usually requires modifications to switch configurations and/or active forgery of packets. Audit your switch configurations and/or install a sniffer of your own and look for suspicious activity.

> > Perhaps making IPSEC mandatory for all your intranet traffic and have
> > all switches / routers drop all non-ipsec ip traffic is a solution ?
> > They can then still sniff   and you cant detect them,  but they cant
> > make sense of any of the data they sniff.
> >
> 
> Yeah, i think IPSec is a better choice.

IPSec is a good idea, though there are weaknesses there as well. The person running the sniffer can't see the contents, but can identify who is talking to who, when and how much. You can learn a lot from that, even if you can't read the actual data. Also, a misconfigured node might send data in the clear; even if your routers/switches are blocking it, a sniffer close enough to the sender might still see it.

Most managed switches (L2 and L3) have additional features that can prevent sniffing. A switched network in and of itself prevents a sniffer from picking up point-to-point traffic; only broadcast/multicast traffic would reach the sniffer. In order to get around that, the operator of the sniffer would need to either reconfigure the switch (SPAN/RSPAN) or start sending forged ARP traffic to redirect packets to the sniffer; if you run your own sniffers on the network, that will be detectable. Further, newer switches have features like Private VLAN, DHCP Snooping, ARP snooping, etc. that prevent such forgeries; they can even be configured to shut down any port that tries such things. Other possibilities include deploying features such as 802.1x port-level authentication, NAC, etc that can ensure that only authorized devices can connect to the network at all, and then lock down those devices to make installation of sniffer software harder.

--
Phillip R. Paradis | Network Engineer | United Tote | 2724 River Green Circle | Louisville | KY | Phone: +1 (502) 509-7445