Although the new wiring scheme neatly parallels the old, the data traveling on the new wiring scheme does not neatly parallel its previous path. From a logical standpoint, it can get to the same places, but the data can and does go to many other places as well. Under this scheme, any office can sniff on all the data flowing to Central Computing from all of the other offices in the building. Different departments are located in the same building. These departments compete for resources allocated by upper management and are not above spying on one another. Ordinary staff, the managers that supervise them, and middle management all are located in the same building. The potential exists for employees to want to know what other people are sending in e-mail messages and storing in personnel and project planning files.

In addition to nosiness and competition, people sharing the same physical media in the new wiring scheme could easily misuse the network. Because all occupants of a building share a single set of Ethernet hubs, they broadcast all of their network traffic to every network interface in the entire building. Any sensitive information that they transmit is no longer limited to a direct path between the user’s machine and the final destination, anyone in the building can intercept the information with a sniffer. However, some careful planning of network installation or a redesign of an existing network should include security considerations (as well as performance issues) to avoid the risks inherent in shared media networking.

The network in the case study fails miserably in the prevention of sniffing. Any computer in a building is capable of sniffing the network traffic to or from any other computer in the building. The following section describes how to design a network that limits the sharing of media to prevent sniffing by untrustworthy machines.

Sniffing: How to Prevent It

To be able to prevent a sniffing attack, you first need to understand the network segments and trust between computer systems.

Network Segmentation

A network segment consists of a set of machines that share low-level devices and wiring and see the same set of data on their network interfaces. The wires on both sides of a repeater are clearly in the same network segment because a repeater simply copies bits from one wire to the other wire. An ordinary hub is essentially a multiport repeater; all the wires attached to it are part of the same segment.

In higher-level devices, such as bridges, something different happens. The wires on opposite sides of a bridge are not part of the same segment because the bridge filters out some of the packets flowing through it. The same data is not flowing on both sides of the bridge. Some packets flow through the bridge, but not all. The two segments are still part of the same physical network. Any device on one side of the bridge can still send packets to any device on the other side of the bridge. However, the exact same sets of data packets do not exist on both sides of the bridge. Just as bridges can be used to set up boundaries between segments, so can switches. Switches are essentially multiport bridges. Because they limit the flow of all data, a careful introduction of bridges and switches can be used to limit the flow of sensitive information and prevent sniffing on untrustworthy machines.

The introduction of switches and bridges into a network is traditionally motivated by factors other than security. They enhance performance by reducing the collision rate of segments, which is much higher without these components. Switches and bridges overcome the time delay problems that occur when wires are too long or when simple repeaters or hubs introduce additional time delay. As one is planning the network infrastructure one should keep these other factors in mind as well. One can use these factors to sell the introduction of additional hardware to parties less concerned with security.

A segment is a subset of machines on the same subnet. Routers are used to partition networks into subnets. Hence, they also form borders between segments in a network. Unlike bridges and switches, which do not interact with software on other devices, routers interact with network layer software on the devices in the network. Machines on different subnets are always part of different segments. Segments are divisions within subnets, although many subnets consist of a single segment in many networks. Dividing a network into subnets with routers is a more radical solution to the sniffing problem than dividing subnets into segments. However, as you will see in a later section, it may help with some spoofing problems.

Segmentation of a network is the primary tool one has in fighting sniffing. Ideally, each machine would be on its own segment, and its interface would not have access to network data for which it is not the destination. This ideal can be accomplished by using switches instead of hubs to connect to individual machines in a 10BASE-T network. As a matter of practicality and economics, however, one must often find a less ideal solution. Such solutions all involve the notion of trust between machines. Machines that can trust each other can be on the same segment without worry of one machine sniffing at the other’s data.

Understanding Trust

Typically, one thinks of trust at the application layer between file servers and clients. However, this notion of trust extends to lower-level network devices as well. For example, at the network layer, routers are trusted to deliver datagrams and correct routing tables to the hosts on their networks. Hosts are trusting of routers and routers are trusted machines. If you extend the concept of trust down to the data link layer one gets to sniffing. A machine sending data considered private on a particular network segment must trust all machines on that network segment. To be worthy of that trust, the machines on the segment and the wiring between them must have sufficient physical security (locks on doors, armed guards, and such) to ensure that an attacker cannot install a sniffer on that segment.

The threat of sniffing comes from someone installing sniffing software on a machine normally on the network, someone taking a sniffer into a room and jacking it into the network connections available there, or even installing an unauthorized network connection to sniff. To counter these options, you must have a security policy in place that prohibits such activities, rely on the security of the operating system itself to prevent the execution of unauthorized sniffing, depend upon the personal trustworthiness of the people who have access to the rooms in which network components are located, and have adequate physical security to prevent untrustworthy people from gaining access to these rooms.