Sniffing: How to Prevent It

To be able to prevent a sniffing attack, you first need to understand the network segments and
trust between computer systems.

Network Segmentation
A network segment consists of a set of machines that share low-level devices and wiring and see
the same set of data on their network interfaces. The wires on both sides of a repeater are
clearly in the same network segment because a repeater simply copies bits from one wire to the
other wire. An ordinary hub is essentially a multiport repeater; all the wires attached to it are
part of the same segment.
In higher-level devices, such as bridges, something different happens. The wires on opposite
sides of a bridge are not part of the same segment because the bridge filters out some of the
packets flowing through it. The same data is not flowing on both sides of the bridge. Some
packets flow through the bridge, but not all. The two segments are still part of the same
physical network. Any device on one side of the bridge can still send packets to any device on
the other side of the bridge. However, the exact same sets of data packets do not exist on both
sides of the bridge. Just as bridges can be used to set up boundaries between segments, so can
switches. Switches are essentially multiport bridges. Because they limit the flow of all data, a
careful introduction of bridges and switches can be used to limit the flow of sensitive information
and prevent sniffing on untrustworthy machines.
The introduction of switches and bridges into a network is traditionally motivated by factors
other than security. They enhance performance by reducing the collision rate of segments,
which is much higher without these components. Switches and bridges overcome the time
delay problems that occur when wires are too long or when simple repeaters or hubs introduce
additional time delay. As one is planning the network infrastructure one should keep these
other factors in mind as well. One can use these factors to sell the introduction of additional
hardware to parties less concerned with security.
266 Part II: Gaining Access and Securing the Gateway
A segment is a subset of machines on the same subnet. Routers are used to partition networks
into subnets. Hence, they also form borders between segments in a network. Unlike bridges
and switches, which do not interact with software on other devices, routers interact with
network layer software on the devices in the network. Machines on different subnets are always
part of different segments. Segments are divisions within subnets, although many subnets
consist of a single segment in many networks. Dividing a network into subnets with routers is
a more radical solution to the sniffing problem than dividing subnets into segments. However,
as you will see in a later section, it may help with some spoofing problems.
Segmentation of a network is the primary tool one has in fighting sniffing. Ideally, each
machine would be on its own segment and its interface would not have access to network data
for which it is not the destination. This ideal can be accomplished by using switches instead of
hubs to connect to individual machines in a 10BASE-T network. As a matter of practicality
and economics, however, one must often find a less ideal solution. Such solutions all involve
the notion of trust between machines. Machines that can trust each other can be on the same
segment without worry of one machine sniffing at the other’s data.

Understanding Trust
Typically, one thinks of trust at the application layer between file servers and clients. Clearly,
the file server trusts its clients to authenticate users. However, this notion of trust extends to
lower-level network devices as well. For example, at the network layer, routers are trusted to
deliver datagrams and correct routing tables to the hosts on their networks. Hosts are trusting
of routers and routers are trusted machines. If you extend the concept of trust down to the
data link layer one gets to sniffing. A machine sending data considered private on a particular
network segment must trust all machines on that network segment. To be worthy of that trust,
the machines on the segment and the wiring between them must have sufficient physical
security (locks on doors, armed guards, and such) to ensure that an attacker cannot install a
sniffer on that segment.
The threat of sniffing comes from someone installing sniffing software on a machine normally
on the network, someone taking a sniffer into a room and jacking it into the network connections
available there, or even installing an unauthorized network connection to sniff. To
counter these options, you must rely on the security of the operating system itself to prevent
the execution of unauthorized sniffing, the personal trustworthiness of the people who have
access to the rooms in which network components are located, and physical security to prevent
untrustworthy people from gaining access to these rooms.


Hardware Barriers
To create trustworthy segments, you must set up barriers between secure segments and
insecure segments. All of the machines on a segment must mutually trust each other with the
data traveling on the segment. An example of such a segment would be a segment that does
not extend outside the machine room of a computing facility. All machines are under the
control of a cooperating and mutually trusting systems staff. The personal trust between staff
members is mirrored by the mutual trust between the systems for which they are responsible.
The opposite of this is the belief and understanding that some segments simply must be
considered insecure. Insecure segments need not be trusted if those segments carry only public
or non-critical data. An example of such a segment is a university laboratory used only by
students. No guarantee of absolute security is made for the information stored. Possibly the
students realize that for this network drive only reasonable precautions will be taken to
maintain privacy by enforcement of password protections, file system access lists, and regular
backups.
It is less clear where to draw the line in a more professional business setting. The only basis for
trust between machines is for trust between the people who control the machines. Even if a
person can be trusted personally in an ethical sense, he or she may not be trustworthy technically
to administer a machine in such a way that an attacker could not abuse the machine
under his or her control.