[ale] Is Promiscuous Sniffing just not so much Fun anymore? (mostly on-topic)

Neal Rhodes neal at mnopltd.com
Tue Dec 10 14:08:28 EST 2013


So, picture two servers which talk to each other within a corporate
LAN/WAN in a data center, and worker bees in an office location
elsewhere in the same city, who only have hard-wired LAN access, and
assume they have IP connectivity to the data center. 

And picture that these two servers have an unsecured http protocol they
talk over. 

And picture a worker bee with too much time on their hands and the
intent to hijack this. 

If said worker bee managed to get WireShark or similar installed on
their workstation,  they could sniff whatever that hard Cat5 cable can
see.    Which, assuming it is connected to a switch, not an
old-fashioned hub, is pretty much zilch.   Basically their own traffic. 

They can't see most traffic to/from the guy in the next cubicle to the
servers, because the switch doesn't normally let them see it.   For
performance reasons, it isolates each LAN port.    They can't see any of
the server-server packets, because the two routers in between behave
like switches, not hubs, and don't route local server-server traffic. 

So, assuming that Wifi is not available, it seems like the LAN sniffer
attack vector based on seeing what is happening is pretty much moot.
That is not to say that actively probing isn't rewarding.  

Let's take it one step farther: presume that it is trivial for these two
servers to switch from talking http:80 to each other and start talking
https:443 to each other.    From the perspective above, this is a
negligible practical improvement.    It only gets interesting if we
imagine someone able to get onto the local LAN in the data center.  But
even then, presuming that is also a switch, they ain't gonna see spit. 

Let's take it one step farther: assume that they could in fact
compromise the data center switch, and capture a pile of the https
traffic between servers.   Would we logically assume that given today's
technology that they could manage to decrypt it with enough CPU and
time? 

Thoughts? 

Neal Rhodes
MNOP Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20131210/36880f6f/attachment-0001.html>


More information about the Ale mailing list