LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-06-2004, 01:37 PM   #1
R4z0r
Member
 
Registered: Jan 2002
Distribution: CentOS 3.1
Posts: 119

Rep: Reputation: 15
One for the experts (Switched network security)


Hey all.

Now this isn't totally Linux related but I know their are a lot of network pros here so I hope you can help!

I have a server co-hosted and it is in a /24 subnet on a switched network. All machines are part of the same VLAN

Now I am concerned as to how much other people on this switch segment can see of my server. I run POP3/IMAP, etc and am concerned people could sniff my passwords.

I've tried a little experiment by connecting to my server with an IMAP client and then tcpdumping the traffic - all I get is something like the below:

Code:
19:29:15.143226 <myserver>.imap > myhomepc.4515: P 250:496(246) ack 69 win 5840 (DF)
Which seems quite promising as there is not much info there but is that because of how I have tcpdump running (I'm running it with no extra options).

What I want to know, is my server safe like this?

If not, what can I do to protect it?

I am thinking of setting up a firewall rule that prevents my server from talking to anyone else on that /24 (Except the default gw) which will help the Layer3 stuff but I don't know if there's anything I can do about the layer2 stuff (As everyone is on the same VLAN).

R4z0r
 
Old 09-06-2004, 04:30 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well the implications are the same as with any switched network segment. By default, a switched network segment only sends Ethernet frames to the MAC address that corresponds with the IP address of the destination (compared to a hub, which sends the Ethernet frame to every port and trusts the NIC plugged into the port to only view what it's supposed to).

It is possible to attack a switched network in two ways, either by poisoning or by flooding. A poisoning attack "spoofs" the MAC address of another host so that the attacker's NIC receives frames that were meant for another host. A flooding attack involves generating spurious ARP table entries to the switch in order to overload the memory available for holding MAC addresses and cause the switch to echo frames to all ports (because it cannot figure out where to send them).

One of the things that you can do to defeat poisoning attacks on ARP tables is to have the ARP entries loaded statically at boot up. You can protect your machine from having it's outbound frames diverted by statically defining the ARP entry for the gateway's MAC address. For incoming packets, the gateway would have to stically define the ARP entry for your host.

So by default, no one else could use tcpdump on your segment and see your traffic (except for you, since you were executing tcpdump on your own host, and the gateway). Any layer 3 filtering would be largely pointless because local segment attacks would come at layer 2.

Last edited by chort; 09-06-2004 at 04:32 PM.
 
Old 09-07-2004, 01:57 AM   #3
R4z0r
Member
 
Registered: Jan 2002
Distribution: CentOS 3.1
Posts: 119

Original Poster
Rep: Reputation: 15
Hi Chort. Thanks for the very imformative post, appreciated.

R4z0r
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network cards were switched Worstje Slackware 3 11-17-2004 08:20 AM
ntop in a switched network cccc Linux - Networking 0 11-07-2004 09:54 AM
Need theory advice from security experts GT3NE1 Linux - Security 3 10-14-2004 07:55 PM
which linux sniffer can I use on the switched network ? cccc Linux - Networking 2 07-24-2004 06:30 PM
Correct way to sniff switched network msymms Linux - Networking 8 11-07-2003 11:33 AM


All times are GMT -5. The time now is 01:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration