[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: filtering by mac
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: filtering by mac
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Sat, 27 Jul 2002 09:08:25 -0700
On Sat, Jul 27, 2002 at 09:31:06AM -0600, Diana Eichert wrote:
> On Sat, 27 Jul 2002, Randall Augustus Alexander wrote:
> > There simply isn't a way to make sure people don't sniff the
> > network without each user having their own port on the switch.
> > There is also no way to make sure that they don't share
> > passwords or create their own wireless or wired network and
> > share access with others through NAT.
> > You simply have to face reality that there has to be a certain
> > measure of trust unless you can afford the gear to keep
> > everyone in their own sandbox.
> > Randy
> You can throw out the switched network scenario also, as
> switched networks can be sniffed relatively easily. In the past
> you had to have some skill to do it, today it's so easy with
> tools like ettercap:
> So as Randy alluded, it's an unsafe world out there.
At the risk of wandering off-topic, I've had an idea for a while
now that somebody may find interesting. I'd love to see a
small-footprint computer capable of running OpenBSD that's crammed
with NICs, and running it as a fully-managed switch. Imagine
writing your pf rules *knowing* that interface X has traffic for
foo, all the traffic for foo, and nothing but traffic for foo. I
rather suspect that you could effectively stop all spoffing and
sniffing attacks, as well.
Of course, this would probably not be cheap....
[demime 0.98d removed an attachment of type application/pgp-signature]