Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next LAN BACKGROUND Traditional Token-Ring and Ethernet networks are known as shared media or broadcast networks. These networks operate by sending information in units known as frames (referenced in level two of the OSI model). Each frame contains information, including the sender’s address and the destination address. In simple terms, at any given time there will be a maximum of one successful sender on the network. This sender is broadcasting a frame (like the way a television station broadcasts a TV signal). Every receiver can see the broadcasted message, but only the one with the correct destination address (i.e., the one with that matches the destination address specified within the frame) is interested in the data contents of the broadcasted message. Some time later, another computer becomes the broadcaster and the cycle continues. There is also a special case on most broadcast networks that are used to facilitate true broadcast messages (called a broadcast frame). These messages tend to be things like service advertisements and routing information. A broadcast frame should not be confused with a the nature of the broadcast network. In a perfect world, only the machine whose address matches the destination field of the frame would read the data. Unfortunately, this is not a perfect world. Most modern network interface cards (NICs) can be configured to behave in promiscuous mode. This means that the card reads not only the frames destined for it, but all frames that it can see. A program designed just for this purpose is called a sniffer. Sniffers have been built so that network managers can gather network statistics and analyze traffic. They have also been written by computer hackers to illicitly grab information off of the network. There are several methods for defending against this sort of attack. Frames can be sniffed within networks they traverse. The traditional devices for partitioning subnets include routers that connect different subnets (OSI level three) and bridges that are used to partition a subnet (OSI level two). If important information (e.g., a password) is being exchanged with machines in other networks, a sniffer in any of the incidental networks can also illegally grab information. In Exhibit 8-1-3, there are three networks. The user’s computer is sitting on Network A, communicating with a server on Network C. Network B is an intermediate network that sits between Network A and Network C. All traffic between Networks A and C must traverse B. Therefore, security on both A and C can be compromised by a breach of B. Exhibit 8-1-3.  Sniffing on Transient Networks Solutions to Sniffing There are four solutions to sniffing: limited access, secure hubs, switched LANs, and end-to-end encryption. Each of these are discussed in detail in the following sections. Limited Access Obviously, if hackers cannot access a network, they cannot sniff frames off a LAN. However, it is not always possible to limit a LAN too severely. For example, some hotels now offer Ethernet connectivity to their guests rooms. In this case, it is difficult to know who the hackers are. Secure Hubs Hub manufacturers have recently designed hubs (e.g., MAUs) that have the ability to sense the MAC address of the attached station. In addition, the administrator can configure the hub so that only one particular MAC address may be attached to a particular port. If the hub senses that an incorrect MAC address is attached to a secure port, that port is deactivated. Therefore, the nature of the protocol is not changed. This method has some drawbacks. A user on a trusted station can still successfully run sniffer software. Second, the network administrators will experience more overhead involved with moving network devices. In some areas, this would not work well, for example, a conference room where many users present information on their laptops. Switched LANs Recent advances in networking technologies have introduced the switched versions of Token Ring and Ethernet. In a completely switched environment, each user has his or her own port on the switch. For each frame sent, the switch establishes a virtual connection to the destination port. Because the switch will not send the frame to a port that does not match the destination address, the chances of useful information being successfully sniffed is substantially reduced. However, switches are expensive and completely switched environments are rare. In addition, the switch only remembers the MAC address-to-port mapping for a short period of time. After this is forgotten, the switch acts as a shared medium while it relocates the port. While in this shared mode, it is possible (although unlikely) for useful information to be sniffed. End-to-End Encryption The best way to avoid sniffing problems is to make the information being sniffed useless. Data encryption can provide such a solution. In effective encryption environments, the client and the server agree on an encryption scheme. This scheme is usually based on a key and then perturbed by additional information (e.g., the time). The key itself is never sent over any network. Such a system is completely immune to sniffing. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.