Just like sitting in a café and listening to other peoples conversations, sniffing the network involves passively capturing traffic as it flows through the network segment that an attacker is connected to. One common tool to capture traffic (often for legitimate reasons) is Wireshark, which is a freely available “protocol analyser”, that will reveal what your network card is seeing. On poorly managed or badly designed networks, traffic containing sensitive data may be hitting end user devices all the time and it’s not until a tool like this is used before a network admin realises just how many plain text passwords are going back and forth on their network. Even if the network switch is being smart and directing flows of traffic based on an internal map of device MAC addresses to physical port numbers, this can be circumvented by an attacker filling up the table and causing the switch to revert to a more dumb behaviour.
There are however several measures that can be taken to reduce this on a LAN:
- Physically restricting access to the network (i.e. not having network ports in a foyer)
- This will ensure only those people you trust or have given permission to will be able to access the network
- Segregate the traffic into VLANs
- Perhaps splitting VoIP devices into one VLAN and users into another to prevent a telephone call being listened in to
- Use encryption to secure passwords in transit
- Using port based security to restrict the number of MAC addresses on a port
- This will prevent an attacker spoofing numerous source MAC addresses that can fill up the mapping table on a switch, which would cause it to revert to a dumb behaviour
- Using 802.1x port based authentication (more on this in a future post!!)
- This will ensure that trusted clients who are either compliant with health policies or have valid credentials are placed on a trusted VLAN, while guests and malicious users who are untrusted are placed in a quarantine VLAN
All of the above are easy enough to implement with the exception of 802.1x which requires some additional moving parts to get it going, but should be considered out the box as part of a network device security policy (again, more on this in a future post).