Re: filtering by mac

[Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>]

On Sat, Jul 27, 2002 at 09:31:06AM -0600, Diana Eichert wrote:

> On Sat, 27 Jul 2002, Randall Augustus Alexander wrote:
>
> > There simply isn't  a way to make sure people  don't sniff the
> > network without each user having their own port on the switch.
> > There  is also  no  way to  make sure  that  they don't  share
> > passwords or  create their own  wireless or wired  network and
> > share access with others through NAT.
> >
> > You simply have to face reality that there has to be a certain
> > measure  of trust  unless  you  can afford  the  gear to  keep
> > everyone in their own sandbox.
> >
> > Randy
>
> You  can  throw  out  the switched  network  scenario  also,  as
> switched networks can be sniffed relatively easily.  In the past
> you had  to have some  skill to do it,  today it's so  easy with
> tools like ettercap:
>
> (http://www.openbsd.org/3.1_packages/i386/ettercap-0.6.4.tgz-long.html).
>
> So as Randy alluded, it's an unsafe world out there.

At the risk  of wandering off-topic, I've had an  idea for a while
now  that  somebody  may  find  interesting. I'd  love  to  see  a
small-footprint computer capable of running OpenBSD that's crammed
with  NICs,  and running  it  as  a fully-managed  switch. Imagine
writing your pf  rules *knowing* that interface X  has traffic for
foo, all the  traffic for foo, and nothing but  traffic for foo. I
rather suspect  that you could  effectively stop all  spoffing and
sniffing attacks, as well.

Of course, this would probably not be cheap....

Cheers,

b&

--
Ben Goren
 mailto:ben_(_at_)_trumpetpower_(_dot_)_com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]