North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: sniffer/promisc detector
I read the ettercap service description, and still don't see how a rogue machine gets around this:Maybe this is just a stupid comment, but if the original poster is that concerned with their LAN being sniffed, then maybe they should consider using IPSec on their LAN.It is also possible to sniff a network using only the RX pair so most of the tools to detect cards in P mode will fail. The new Cisco 6548's have TDR functionality so you could detect unauthorized connections by their physical characteristics. But there are also tools like ettercap which exploit weaknesses within switched networks. See http://ettercap.sourceforge.net/ for more details (and gain some add'l grey hairs in the process). The question here is what are you trying to defend against?.
Switched network of multiple switches, servers on each port have a hardcoded MAC on the switch port. (Ports will not work if the MAC is different than the one described). This prevents MAC flood and MAC poisoning. If you use VLAN to your router and give each server a /30 or /29 that you route its IPs down towards it, your router will only talk to each server in the IP block that has been described by the subnet mask.
I know most people don't take the time to hard code their MACs onto their switch ports, but it really only takes a few seconds per switch with a little cutting & pasting -- as customer switches a network port, they just need to open a ticket to have the address changed.
Am I missing something?