[66624] in North American Network Operators' Group
Re: sniffer/promisc detector
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat Jan 17 15:14:52 2004
To: Donovan Hill <lists@lazyeyez.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sat, 17 Jan 2004 11:30:13 PST."
<200401171130.13257.lists@lazyeyez.net>
From: Valdis.Kletnieks@vt.edu
Date: Sat, 17 Jan 2004 15:14:10 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_850835202P
Content-Type: text/plain; charset=us-ascii
On Sat, 17 Jan 2004 11:30:13 PST, Donovan Hill said:
> Maybe this is just a stupid comment, but if the original poster is that
> concerned with their LAN being sniffed, then maybe they should consider using
> IPSec on their LAN.
Amen to that. It's actually easier to sleep at night if you start off with the
assumption that every single packet is received by both the intended recipient
and the entity you *least* want getting said packet, and then designing your
communications accordingly..
Similarly for spoofed and MITM attacks - assume they WILL happen, and plan
accordingly.
Proper use of IPSec/OpenSSH/OpenSSL, with key/cert checking as appropriate,
goes a LONG way to raising the bar WAY up on the attacker.
Just don't forget about endpoint security - waay too many sites deploy OpenSSL
so credit card info can't be sniffed, and then leave the suckers in plaintext on the
web server. :)
--==_Exmh_850835202P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFACZeScC3lWbTT17ARAsCLAJ9GbI7GTEjxDr2H8BuXUcoSdYEJjwCg5kYI
7FGUwHhifYIDsHRSOSSFvz0=
=ZpjK
-----END PGP SIGNATURE-----
--==_Exmh_850835202P--
