A lot of people go through their daily lives with the misconception that you can't packet sniff (eavesdrop) in a switched network or encrypted wireless (wifi) environment. Sadly, this is hardly the case.
They think this because a switch is a point to point device, which is to say that your computer only talks to the specific endpoint on the switch that it needs to and doesn't ordinarily have access to all traffic on the switch.
Unfortunately, in the real world, there are hacking/penetration tools such as Cain that allow someone running the tools to do what is called ARP (address resolution protocol) poisoning. Basically, it works by fooling the network switch in to thinking that all traffic going through the switch needs to go through the hacker's computer almost as if that computer were the gateway router for the switched segment.
This allows anyone running these tools to sniff all traffic going through a switch or to even change traffic that they are seeing (perform a man-in-the-middle attack).
Pretty scary stuff, eh?
But there are ways to mitigate this sort of risk. Many modern managed switch makers such as Cisco, Extreme, Dlink and others include a feature called DHCP snooping with their switches that allows switches to monitor MAC addresses and sense if DHCP enabled clients change their MAC addresses. Of course, since it can only monitor DHCP enabled systems, there may be workarounds to this solution by simply giving an attacking system a static IP address.
There are other solutions out there, but they can be costly (ArpDefender) or allow for monitoring only (ArpWatch).
At the end of the day, people put too much trust in the security of their systems by default when most of the systems and protocols that we use on a daily basis on the internet were designed not for security, but rather for ease of use and interoperability.
This isn't just important for those of us who might be managing IT security for corporations, but also for individuals who use public wifi hotspots on a regular basis.
Recent Comments