switch vulnerability

[jmarwan]

I have a Baystack 450-24t with the latest software.
all machine are connected to the same VLAN (default).
using a sniffer & protocole analyser utility like Ethereal
in any port in the same Vlan I'm able to receive unicast traffic that is not destinated to the host where the sniffer is installed.
because this is very security concerne for our entreprise.
how to explaine this switch behavour?
and how to prevent switch from "sniffing"?

thank you

 

[rn4it]

This is probably a Baystack issue, I would contact their tech support and upload your captures to them. I ran a sniffer capture on one of our switches and I only receive packet for or from my PC.

 

[jmarwan]

i don't think so, because i have changed a baystack switch with cisco catalyst 2900xl and also HP procurve 2524.
I still receive some unicast packets.

 

[pansophic]

Have you seen any ARP storms on your network? Could be that someone else on your network is attempting to sniff and is overflowing the ARP cache in order to do this.

Also, are you seeing unicast traffic for a single IP, or for all? If it is a single IP, and ARP storm isn't required, just an unsolicited message indicating that that IP is local will suffice in most cases.


pansophic

 

[JoeBloggssss]

The only traffic you should be seeing with a switch is broadcast traffic in that domain generated by the switch to determines which end devices have an associated IP and MAC not yet in the CAM table. Except when SPAN port enabled. My experience with arp posining is it is usually directed at the client. You could implement storm traffic control, and arp access-control, and perhaps use arp watch to monitor.