[rescue] needed: el cheapo 10bt switch (not hub), 1U size

Peter Corlett abuse at cabal.org.uk
Fri Apr 16 15:00:11 CDT 2004

Joshua Boyd  <jdboyd at jdboyd.net> wrote:
> On Fri, Apr 16, 2004 at 11:56:36AM -0400, Patrick Giagnocavo wrote:
>> A switch is better than a hub to avoid sniffers. 
> Err, how is a slow switch going to do that for you when your connection is
> slower than the switch?

The theory goes that a switch only sends traffic down ports that are
supposed to see it. So running a sniffer on a host on your LAN won't achieve
much as the host will only see traffic that was destined for its own MAC
address anyway.

Unfortunately, (unmanaged) switches are only an optimisation of hubs rather
than a security device in their own right. This is because a hostile host
can generate loads of bogus MAC addresses to overflow the switch's MAC
table. If this happens, switches will degenerate into hubs. (Since after
all, if this overflow happens in normal use of the switch, you'd rather have
a degraded network than no network, right?)

So in general, having a switch *helps* defend against sniffing, but won't
stop a determined attacker. And these days, with point and drool hacking
tools, they can all be determined attackers.

Security wise, I treat switches as fast hubs. Layer 2 is not a good place to
do security.

PGP key ID E85DC776 - finger abuse at mooli.org.uk for full key

More information about the rescue mailing list