Switching and VLAN Security FAQ
(Note: This is from 2000 and has not been touched since)
Executive Summary
Does a switch protect me against sniffing?
No.
Not even a layer 3 switch?
No.
Not even when I use VLANs?
No.
What can I do to prevent sniffing, then?
- Use cross-link cables.
Technical details
But I thought a switch protects against sniffing?!
It does. However, attackers can circumvent this by
- using the administrative access of the switch. Do not expose
the telnet port on the switch! ACLs and passwords are not sufficient.
Use the serial console.
- sending several thousand packets from unused MAC addresses. Most
switches will then suffer an MAC table overflow and switch to hub mode.
dsniff contains a
tool called macof that does just that.
- sending spoofed ARP packets. With ARP spoofing you can tell host
A that host B's MAC address is foo and then you tell host B that
host A's MAC is bar and then you sniff for packets to foo
and bar, relaying them back to the original proper MAC addresses
of the hosts whose communication you want to intercept. My
implementation of attack is this called arprelay.
A few switches allow to set access control lists on the MAC addresses
per port. That will protect against arbitrarily chosen foo and
bar addresses, but it will not protect against the general attack
#3 because the sniffer can still use his normal, authorized MAC
address.
Using static ARP table entries will generally protect against attack #3.
However, Microsoft blew it again: on Windoze, static ARP table entries
are overwritten by ARP packets, so they are completely useless.
What about VLANs?
If a switch thinks that another switch is on port 23, then it will
expose the full traffic to that port. The protocol by which switches
detect other switches is an IEEE standard. Malicious attackers can also
speak that protocol to convince a switch of their switchhood.
If your switch allows you to disable this autodection, do it.