ARP Poisoning (was Re: [Sussex] Tight File Server)

Nico Kadel-Garcia nkadel at gmail.com
Fri Jul 13 11:10:57 UTC 2007


Andy Smith wrote:
> Hi Nico,
>
> On Fri, Jul 13, 2007 at 04:38:37AM +0100, Nico Kadel-Garcia wrote:
>   
>> Andy Smith wrote:
>>     
>>> Without transport layer encryption (e.g. SSL, SSH, TLS etc.) any
>>> machine on the LAN can snoop on any other machine on the LAN.
>>> Perhaps that is not an issue if everyone on the LAN is to be able to
>>> read everything on the fileserver, but also think about any visitors
>>> to the office who may wish to plug in their laptops or join the
>>> netork via wifi on their phones.
>>>  
>>>       
>> ??? In order for "any" machine to snoop on "any" machine, it has to see 
>> the packets, by being on a hub, by cleverly reprogramming hte 
>> upswitches, or by being a man in the middle.
>>     
>
> ARP poisoning can make you man in the middle even on a switched
> network; "port security" (a feature on managed switches that allows
> you to lock a port to one MAC address) does not help because the
> attacker does not lie about their MAC, they lie about their IP.
>   
Ouch. I wasn't thinking of that, you have a compelling point.

This is why in a tightly managed network, you should associate MAC 
addresses with specific ports on the switch, to force snoopers to be on 
that same port. But yeah, very few people do that, and most of us could 
slip another switch into the middle of a network connection somewhere 
along the line.  That way, when somebody moves a laptop, you hear about 
it. Or put it on a distinct VLAN where they *must* VPN their way in.

> ettercap is an example of a widely-available tool that turns ARP
> poisoning into a point and click process.  If you are on an Ethernet
> LAN any host on that LAN can eavesdrop on your packets, this is an
> inherent flaw of Ethernet.  It's why it is a good idea to put
> different security groups on different routed networks (likely using
> VLANs to reduce the number of routers required), e.g. don't put your
> wifi access point directly on your LAN otherwise people on the
> street who get onto it can sniff all your LAN as well.
>   
Oh. Ow-ow-ow, I hadn't thought about this sort of fun and games with 
wireless. But I absolutely agree it's an issue, and agree with the "use 
a VLAN for wireless" for other security reasons. I wonder if Sandstorm 
Enterprises has thought about this? They sell some nifty network monitor 
tools that re-assemble and

It would seem that polling the state of the switches would be useful for 
detecting this, but I've found such switch polling to be awkward at best 
due to lack of documentation and existing end-user software. Have you 
found particular switches with good tools? I'd welcome recommendations 
for my next such involvement.




More information about the Sussex mailing list