-   Linux - Security (
-   -   One for the experts (Switched network security) (

R4z0r 09-06-2004 01:37 PM

One for the experts (Switched network security)
Hey all.

Now this isn't totally Linux related but I know their are a lot of network pros here so I hope you can help!

I have a server co-hosted and it is in a /24 subnet on a switched network. All machines are part of the same VLAN :eek:

Now I am concerned as to how much other people on this switch segment can see of my server. I run POP3/IMAP, etc and am concerned people could sniff my passwords.

I've tried a little experiment by connecting to my server with an IMAP client and then tcpdumping the traffic - all I get is something like the below:


19:29:15.143226 <myserver>.imap > myhomepc.4515: P 250:496(246) ack 69 win 5840 (DF)
Which seems quite promising as there is not much info there but is that because of how I have tcpdump running (I'm running it with no extra options).

What I want to know, is my server safe like this?

If not, what can I do to protect it?

I am thinking of setting up a firewall rule that prevents my server from talking to anyone else on that /24 (Except the default gw) which will help the Layer3 stuff but I don't know if there's anything I can do about the layer2 stuff (As everyone is on the same VLAN).


chort 09-06-2004 04:30 PM

Well the implications are the same as with any switched network segment. By default, a switched network segment only sends Ethernet frames to the MAC address that corresponds with the IP address of the destination (compared to a hub, which sends the Ethernet frame to every port and trusts the NIC plugged into the port to only view what it's supposed to).

It is possible to attack a switched network in two ways, either by poisoning or by flooding. A poisoning attack "spoofs" the MAC address of another host so that the attacker's NIC receives frames that were meant for another host. A flooding attack involves generating spurious ARP table entries to the switch in order to overload the memory available for holding MAC addresses and cause the switch to echo frames to all ports (because it cannot figure out where to send them).

One of the things that you can do to defeat poisoning attacks on ARP tables is to have the ARP entries loaded statically at boot up. You can protect your machine from having it's outbound frames diverted by statically defining the ARP entry for the gateway's MAC address. For incoming packets, the gateway would have to stically define the ARP entry for your host.

So by default, no one else could use tcpdump on your segment and see your traffic (except for you, since you were executing tcpdump on your own host, and the gateway). Any layer 3 filtering would be largely pointless because local segment attacks would come at layer 2.

R4z0r 09-07-2004 01:57 AM

Hi Chort. Thanks for the very imformative post, appreciated.


All times are GMT -5. The time now is 06:50 AM.