[ale] KISS: Is Sniffing a Real Threat in a modern Switched LAN?

neal at mnopltd.com neal at mnopltd.com
Thu Mar 11 10:01:12 EST 2021 

Ok, maybe slightly OT BUT there is a linux server involved...

Again looking at what security is really needed, but going deeper.   
What assets need protection?  Turns out, everything is in the cloud.

The question is: if we make a downstairs Wifi router be an access point 
instead, do we really expose anything?


Primary EdgeRouter-X Router: (has 5 ports; Eth1-5 are all on 
192.168.1.x)
     - Eth0 - WAN port goes to Comcast Router;
     - Eth1 - NetGear jgs524pe Switch in office
              - Office Win10 Desktop
                      - https access to Banking, Financials, Roster   <== 
Primary Security Concern
              - Polycon phone-set
                      - Office Win10 Desktop
                            - https access to Banking, Financials, Roster 
  <== Primary Security Concern
              - Linksys Wifi Access Point
                      - Office Notebooks

     - Eth2 - NetGear jgs524pe Switch downstairs
              - ASUS Wifi in Hall downstairs, configured as Access Point
                      - Ubuntu Desktop on Wired port, running Jamulus on 
forwarded UDP port 22124  <== Can this be a Threat?
                      - Children in Community Schools doing Distance 
Learning with personal notebooks <== Can this be a Threat?

My understanding is that due to the nature of how a switch works, so 
long as office staff always use wired connections to do HTTPS cloud 
work, there is simply no way for anything downstairs, on a different 
switch, do sniff the HTTPS traffic.   Even other desktops on the same 
switch in the office could not sniff the HTTPS traffic of the other 
desktops.    So long as those computers leave the windows firewall 
running, don't allow RDP, etc, I don't see an exposure.

It would seem dubious for Office computers to use Wifi connections for 
banking, and we should make that a taboo.

BUT, I can't see how an exploit could piggyback in on a child's notebook 
and gain any sniffing access upstairs?   Nor could a flaw in the Jamulus 
server which ultimately provided a linux command line result in getting 
access to financial computers.

I was debating about firing up Samba on the Linux box to make it easy to 
grab multi-track audio recordings, but... maybe we'd best not, and use 
winScp instead.

Thoughts?

Neal

More information about the Ale mailing list