Re: [tlug] Class B Hubs not suitable for data center use?

[Jonathan Q <jq@example.com>]

On Sat, Aug 31, 2002 at 12:49:06AM +0900, Stephen Lee wrote:

>I am sure Jonathan knows this, but the above is not _completely_ true.
>A switch does forward packets that are destined to unknown hosts (i.e.
>not in its MAC cache [not ARP cache]) to all (but the originating) ports.

This is a good point, thanks for bringing it up.

It's a very small window, though, because when a new host is connected
to the switch, its MAC address gets cached quickly.  The LAN addresses are
all known, and packets bound outside of the LAN will be going to the
gateway, the address of which is also known.  This means that the
opportunities for a packet to be broadcast out all ports are quite
limited.  However, as Stephen correctly points out, they are 
non-zero, therefore you should be aware of them.

A short vulnerability window is also open if you have to reboot the
switch, since this clears the MAC cache and it needs to be rebuilt.
This window, too, will be very small (measurable in seconds).

>All in all, although a switched ethernet is more secure, one should not
>assume that an ethernet cannot be sniffed, switched or not.

This is very good advice.  Never assume anything cannot be sniffed,
even if it's your home LAN, you control every host on it, and 
it sits behind two layers of firewalling and NAT, and it's switched.
This just makes it much, much harder for an intruder to get into
your network and sniff packets, but it doesn't make it impossible.
Especially if there are Windows machines on that LAN.  We've all heard
of Kazaa and other spyware-bearing Windows software.  It would be
trivial to make spyware that would set the NIC to promiscuous mode and
sniff your local network and send the results to someone else.

No matter how safe you think you are, you're probably a little less
safe than that.

A basic switch is, anyway, a good and inexpensive security improvement
for your network, and it will also boost peformance on your LAN.  All
in all, a good investment.

Advanced switches carry additional security features, such as the
ability to lock out unused ports and lock ports to specific MAC
addresses.  These parameters will survive a reboot because they are
written to flash memory.

On top of all this, it remains important to also maintain physical
security over a switch.  In an office setting, it should be inside
of a locked LAN closet, and access to the keys should, of course be
restricted.  If you don't have a LAN closet, that's another problem :-)
Even a highly secure network becomes much more vulnerable if an
attacker has physical access and time.


Jonathan 
GPG key: DF12B4EF (5399 C834 3ABB C3AF 610C  5345 D5D6 E6EA DF12 B4EF)
gpg --keyserver pgp.mit.edu --recv-keys  DF12B4EF

Attachment: pgp00084.pgp
Description: PGP signature