switch vulnerability

[jmarwan]

I have a Baystack 450-24t with the latest software.
all machine are connected to the same VLAN (default).
using a sniffer & protocole analyser utility like Ethereal
in any port in the same Vlan I'm able to receive unicast traffic that is not destinated to the host where the sniffer is installed.
because this is very security concerne for our entreprise.
how to explaine this switch behavour?
and how to prevent switch from "sniffing"?

thank you

 

[PederChr]

FYI..

If you have a 470 stack with DMLT, there is a bug that has been fix'ed in the latest software.

This bug leads to the los of MLT if a none base boot up before base unit and act as temp base, and you my get a loop.

 

[PederChr]

sory wrong channel!

 

[jmarwan]

all the switchs was upgraded with the latest software
FW:V1.48 SW:v4.5.2.4
I still have the same problem.

 

[PederChr]

PVID on the port is the same as the VLAN it belong to ?

Auto PVID is a nice option to turn on..

Is some of switches connected to some cisco equitment, ?

 

[jmarwan]

why I should enable PVID?
all swiches ports belong to the default VLAN (1)
the switch is connected to a core switch
and vlans are configured in the core switch (catalyst WS-C4507R with Version 12.1(20)EW)

 

[goodingsd]

The nature of any layer 2 device is that all packets with a unknown destination will get flooded out all ports which includes broadcasts and unicasts -- i.e. this is normal switch operation.

How do you stop someone from putting a SNIFFER type box on and capturing data they shouldn't -- policy and policy enforcement within your enterprise.

You can limit your exposure by invoking any of the security measures like (MAC based or EAP) or simply disable unused ports.

The bottom line is if someone puts a packet capture tool on an active port they will pick up traffic flooded to all ports.

Securing your switch so someone can't mirror ports would also be a good idea.

 

[jmarwan]

this an exemple of a captured packet:

No. Time Source Destination Protocol Info
7758 3127.097350 10.128.20.200 10.127.6.101 TELNET Telnet Data ...

Frame 7758 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 25, 2005 16:23:48.627822000
Time delta from previous packet: 3127.097350000 seconds
Time since reference or first frame: 3127.097350000 seconds
Frame Number: 7758
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: 00:a0:d1:b4:9b:1e, Dst: 00:03:ba:7b:dd:36
Internet Protocol, Src Addr: 10.128.20.200 (10.128.20.200), Dst Addr: 10.127.6.101 (10.127.6.101)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 42
Identification: 0x4aa9 (19113)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x7ff9 (correct)
Source: 10.128.20.200 (10.128.20.200)
Destination: 10.127.6.101 (10.127.6.101)
Transmission Control Protocol, Src Port: 3468 (3468), Dst Port: telnet (23), Seq: 0, Ack: 0, Len: 2
Source port: 3468 (3468)
Destination port: telnet (23)
Sequence number: 0 (relative sequence number)
Next sequence number: 2 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 17211
Checksum: 0x4e31 (correct)
Telnet
Command: No Operation