Switching and VLAN Security FAQ

Executive Summary

Does a switch protect me against sniffing?

No.

Not even a layer 3 switch?

No.

Not even when I use VLANs?

No.

What can I do to prevent sniffing, then?

  1. Use cross-link cables.

Technical details

But I thought a switch protects against sniffing?!

It does. However, attackers can circumvent this by

  1. using the administrative access of the switch. Do not expose the telnet port on the switch! ACLs and passwords are not sufficient. Use the serial console.
  2. sending several thousand packets from unused MAC addresses. Most switches will then suffer an MAC table overflow and switch to hub mode. dsniff contains a tool called macof that does just that.
  3. sending spoofed ARP packets. With ARP spoofing you can tell host A that host B's MAC address is foo and then you tell host B that host A's MAC is bar and then you sniff for packets to foo and bar, relaying them back to the original proper MAC addresses of the hosts whose communication you want to intercept. My implementation of attack is this called arprelay.

A few switches allow to set access control lists on the MAC addresses per port. That will protect against arbitrarily chosen foo and bar addresses, but it will not protect against the general attack #3 because the sniffer can still use his normal, authorized MAC address.

Using static ARP table entries will generally protect against attack #3. However, Microsoft blew it again: on Windoze, static ARP table entries are overwritten by ARP packets, so they are completely useless.

What about VLANs?

If a switch thinks that another switch is on port 23, then it will expose the full traffic to that port. The protocol by which switches detect other switches is an IEEE standard. Malicious attackers can also speak that protocol to convince a switch of their switchhood.

If your switch allows you to disable this autodection, do it.