[ale] KISS: Is Sniffing a Real Threat in a modern Switched LAN?

DJ-Pfulio DJPfulio at jdpfu.com
Thu Mar 11 10:42:26 EST 2021


Any wifi without requiring a full VPN to secure it is a failure, IMHO.
But most places probably think WPA2-PSK is secure. It might be or it 
might not be secure. Depends on lots of other stuff being exactly 
correct.

OTOH, if wifi is for guest-only users, I wouldn't worry.

For banking, there are many more steps needed. Non-personal bank 
accounts don't have the same insurance protections that individual
accounts get.
https://krebsonsecurity.com/online-banking-best-practices-for-businesses/

+1 for using WinSCP.

On 3/11/21 10:01 AM, Neal Rhodes via Ale wrote:
> Ok, maybe slightly OT BUT there is a linux server involved...
> 
> Again looking at what security is really needed, but going deeper.
> What assets need protection?  Turns out, everything is in the cloud.
> 
> The question is: if we make a downstairs Wifi router be an access
> point instead, do we really expose anything?
> 
> 
> Primary EdgeRouter-X Router: (has 5 ports; Eth1-5 are all on
> 192.168.1.x) - Eth0 - WAN port goes to Comcast Router; - Eth1 -
> NetGear jgs524pe Switch in office - Office Win10 Desktop - https
> access to Banking, Financials, Roster   <== Primary Security Concern 
> - Polycon phone-set - Office Win10 Desktop - https access to Banking,
> Financials, Roster  <== Primary Security Concern - Linksys Wifi
> Access Point - Office Notebooks
> 
> - Eth2 - NetGear jgs524pe Switch downstairs - ASUS Wifi in Hall
> downstairs, configured as Access Point - Ubuntu Desktop on Wired
> port, running Jamulus on forwarded UDP port 22124  <== Can this be a
> Threat? - Children in Community Schools doing Distance Learning with
> personal notebooks <== Can this be a Threat?
> 
> My understanding is that due to the nature of how a switch works, so
> long as office staff always use wired connections to do HTTPS cloud
> work, there is simply no way for anything downstairs, on a different
> switch, do sniff the HTTPS traffic.   Even other desktops on the same
> switch in the office could not sniff the HTTPS traffic of the other
> desktops.    So long as those computers leave the windows firewall
> running, don't allow RDP, etc, I don't see an exposure.
> 
> It would seem dubious for Office computers to use Wifi connections
> for banking, and we should make that a taboo.
> 
> BUT, I can't see how an exploit could piggyback in on a child's
> notebook and gain any sniffing access upstairs?   Nor could a flaw in
> the Jamulus server which ultimately provided a linux command line
> result in getting access to financial computers.
> 
> I was debating about firing up Samba on the Linux box to make it easy
> to grab multi-track audio recordings, but... maybe we'd best not, and
> use winScp instead.
> 
> Thoughts?
> 
> Neal _______________________________________________ Ale mailing
> list Ale at ale.org https://mail.ale.org/mailman/listinfo/ale See JOBS,
> ANNOUNCE and SCHOOLS lists at http://mail.ale.org/mailman/listinfo




More information about the Ale mailing list