[ale] Is Promiscuous Sniffing just not so much Fun anymore? (mostly on-topic)

JD jdp at algoloma.com
Tue Dec 10 23:23:44 EST 2013 

You said "LAN/WAN" .... so I assumed the worst case.
If they are on the same switch and on the same subnet, it would take a terrible
network admin to force the traffic to any other network device by accident.

Some switches have a replication port option ... used for IPS/IDS needs. I've
only seen this used in fairly large organizations to trace all network traffic
or to validate that software issues were not really network issues.  99% of the
time, it would be traced back to a software issue - the network guys where I've
worked were EXTREMELY good.  The only failure that we traced to a network change
was for long-open CORBA connections. The firewall was modified to close any
connection open over 24 hrs and the software didn't auto-reconnect. The problem
system had been running with open CORBA connections for a few yrs prior to that
time. All the traffic was on private networks, even the remote traffic over
cellular data networks, so there wasn't much risk, but the security guys didn't
control the cell network and were paranoid (in a belt-and-suspenders way).

But ... overall, your statement is probably correct.  Two servers on the same
LAN segment connected to the same switch will not have traffic between routed
elsewhere.

On 12/11/2013 05:42 AM, Neal Rhodes wrote:
> I hear that.   But two servers, same rack, plugged into the same switch, on the
> same LAN, will not hit their gateway router - they will ARP to find each other,
> and talk through the switch, and you ain't gonna see any of that, even if you
> managed to plug into the data center switch.  Correct?
> 
> We're playing a little devil's advocate here, trying to decide if we're looking
> at securing against a realistic threat or just keeping the auditors happy.
> 
> On Tue, 2013-12-10 at 17:02 -0500, JD wrote:
>> If 2 locations are connected through public internet, don't trust it. There are
>> routing attacks which have been known for years and I suspect any 2 sites using
>> HTTP or HTTPS connections in that way will be unlikely to be monitoring network
>> performance at much detail.
>>
>> Servers should be on a different subnet and fire walled from desktops even in
>> the same location.
>>
>> Can't recall where I saw a recent article about this, but routing has both
>> accidentally and with clear purpose caused traffic to be sent very far away from
>> expected places.  Recall when all youtube traffic was sent through Pakistan
>> "accidentally"? I am positive that could be done between two corporate locations
>> using the internet for connections too.
>>
>> IPSec. Not sure I'd trust anything less.
>>
>> On 12/10/2013 02:08 PM, Neal Rhodes wrote:
>> > So, picture two servers which talk to each other within a corporate LAN/WAN in a
>> > data center, and worker bees in an office location elsewhere in the same city,
>> > who only have hard-wired LAN access, and assume they have IP connectivity to the
>> > data center.
>> > 
>> > And picture that these two servers have an unsecured http protocol they talk over.
>> > 
>> > And picture a worker bee with too much time on their hands and the intent to
>> > hijack this.
>> > 
>> > If said worker bee managed to get WireShark or similar installed on their
>> > workstation,  they could sniff whatever that hard Cat5 cable can see.    Which,
>> > assuming it is connected to a switch, not an old-fashioned hub, is pretty much
>> > zilch.   Basically their own traffic.
>> > 
>> > They can't see most traffic to/from the guy in the next cubicle to the servers,
>> > because the switch doesn't normally let them see it.   For performance reasons,
>> > it isolates each LAN port.    They can't see any of the server-server packets,
>> > because the two routers in between behave like switches, not hubs, and don't
>> > route local server-server traffic.
>> > 
>> > So, assuming that Wifi is not available, it seems like the LAN sniffer attack
>> > vector based on seeing what is happening is pretty much moot.    That is not to
>> > say that actively probing isn't rewarding. 
>> > 
>> > Let's take it one step farther: presume that it is trivial for these two servers
>> > to switch from talking http:80 to each other and start talking https:443 to each
>> > other.    From the perspective above, this is a negligible practical
>> > improvement.    It only gets interesting if we imagine someone able to get onto
>> > the local LAN in the data center.  But even then, presuming that is also a
>> > switch, they ain't gonna see spit.
>> > 
>> > Let's take it one step farther: assume that they could in fact compromise the
>> > data center switch, and capture a pile of the https traffic between servers.  
>> > Would we logically assume that given today's technology that they could manage
>> > to decrypt it with enough CPU and time?
>> > 
>> > Thoughts?
>> > 
>> > Neal Rhodes
>> > MNOP Ltd
>> > 
>> >

More information about the Ale mailing list