[ale] KISS: Is Sniffing a Real Threat in a modern Switched LAN?

neal at mnopltd.com neal at mnopltd.com
Thu Mar 11 11:46:29 EST 2021 

Ok, thanks for that info.  Now, in the scenario below, debating what NEW 
exposure we might be adding with making downstairs Wifi an access point, 
and adding a linux server running Jamulus... One might wonder how a 
notebook or tablet with a Wifi connection could muster enough traffic to 
over-saturate a gigabit wired switch.  Especially if bandwidth limits 
are enforced by the Access point.

THEN, not only does the switch need to start hubbing, but one has to 
also cause the same behavior in a brand spanking new Ubiquity 
EdgeRouter.

In order to maybe sniff enough of the HTTPS encrypted traffic to try and 
crack the encryption and find bank account numbers and passcodes.

Is that a realistic threat?

If there is a hole in the linux server, that would have a gigabit Cat5 
connection.  But same situation applies - it would have to cause a new 
router to mess up to sniff traffic on another Eth port.   Is that 
realistic?

I'm not saying impossible, but how motivated would one need to be and 
how likely?

Regards,

Neal

On 2021-03-11 09:43, Ed Cashin wrote:
> In the past, many switches, when confronted with enough traffic, have
> fallen back to acting like hubs.  Nefarious people have generated
> large amounts of traffic in order to trigger that condition and allow
> sniffing.  This specific problem is an example of a larger issue: When
> securing networks, only security in depth is practical.
> 
> Bugs (and designed behavior that is problematic) can always cause one
> or more layers to stop enforcing expected security guarantees.  That's
> why people get so excited about, e.g., the end-to-end encryption of
> something like Signal.  Even if something goes wrong (like sniffing
> inside the cloud service provider's network) you still have some
> guarantees.
> 
> On Thu, Mar 11, 2021 at 10:01 AM Neal Rhodes via Ale <ale at ale.org>
> wrote:
> 
>> Ok, maybe slightly OT BUT there is a linux server involved...
>> 
>> Again looking at what security is really needed, but going deeper.
>> 
>> What assets need protection?  Turns out, everything is in the cloud.
>> 
>> The question is: if we make a downstairs Wifi router be an access
>> point
>> instead, do we really expose anything?
>> 
>> Primary EdgeRouter-X Router: (has 5 ports; Eth1-5 are all on
>> 192.168.1.x)
>> - Eth0 - WAN port goes to Comcast Router;
>> - Eth1 - NetGear jgs524pe Switch in office
>> - Office Win10 Desktop
>> - https access to Banking, Financials, Roster
>> <==
>> Primary Security Concern
>> - Polycon phone-set
>> - Office Win10 Desktop
>> - https access to Banking, Financials,
>> Roster
>> <== Primary Security Concern
>> - Linksys Wifi Access Point
>> - Office Notebooks
>> 
>> - Eth2 - NetGear jgs524pe Switch downstairs
>> - ASUS Wifi in Hall downstairs, configured as Access
>> Point
>> - Ubuntu Desktop on Wired port, running
>> Jamulus on
>> forwarded UDP port 22124  <== Can this be a Threat?
>> - Children in Community Schools doing Distance
>> 
>> Learning with personal notebooks <== Can this be a Threat?
>> 
>> My understanding is that due to the nature of how a switch works, so
>> 
>> long as office staff always use wired connections to do HTTPS cloud
>> work, there is simply no way for anything downstairs, on a different
>> 
>> switch, do sniff the HTTPS traffic.   Even other desktops on the
>> same
>> switch in the office could not sniff the HTTPS traffic of the other
>> desktops.    So long as those computers leave the windows firewall
>> running, don't allow RDP, etc, I don't see an exposure.
>> 
>> It would seem dubious for Office computers to use Wifi connections
>> for
>> banking, and we should make that a taboo.
>> 
>> BUT, I can't see how an exploit could piggyback in on a child's
>> notebook
>> and gain any sniffing access upstairs?   Nor could a flaw in the
>> Jamulus
>> server which ultimately provided a linux command line result in
>> getting
>> access to financial computers.
>> 
>> I was debating about firing up Samba on the Linux box to make it
>> easy to
>> grab multi-track audio recordings, but... maybe we'd best not, and
>> use
>> winScp instead.
>> 
>> Thoughts?
>> 
>> Neal
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> --
> 
>   Ed Cashin <ecashin at noserose.net>

More information about the Ale mailing list