Quick question If you have a sniffer connected to a switch port, with/without port security on the port, will the sniffer see more than the broadcasts without the SPAN being enabled on the port? If all you can see will be broadcasts then how much of a risk will this sniffer be to the rest of the network?
I am just trying to assess if worst case Sasa is correct and the sniffer is totally quiet, what is the level of risk from captured broadcasts only. Regards Michael -----Original Message----- From: Kevin Wigle [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 06:11 AM To: [EMAIL PROTECTED] Subject: Re: Port Security on 3550 [7:53446] not to question a CCIE but if you have a lab the sensible thing to do is to go it. and I agree with Mr. Odette........ not many windows products are "quiet". I have a 1912 with enterprise and I configured it for: Global config mac-address-table permanent 0000.B494.37E3 Ethernet 0/11 mac-address-table permanent 0260.8CD8.7B0E Ethernet 0/10 address-violation disable Interface config interface Ethernet 0/10 port secure port secure max-mac-count 1 ! interface Ethernet 0/11 port secure port secure max-mac-count 1 ----------------------- On port 10 is a MS-DOS client running the MS-DOS IP Client, no chatty windows overhead but still MS. On port 11 is a Win98 station. Now to be fair, I logged on to both stations before switching cables to make sure that most of the chattiness was finished. This table shows the result: Catalyst 1900 - Port Addressing Report Port Addresses --------------------------------------- 1 : Unaddressed 2 : Unaddressed 3 : Unaddressed 4 : Unaddressed 5 : Unaddressed 6 : Unaddressed 7 : Unaddressed 8 : Unaddressed 9 : Unaddressed 10 :Secured 02-60-8C-D8-7B-0E 11 :Secured 00-00-B4-94-37-E3 12 : Unaddressed AUI: Unaddressed A :Dynamic 10 Static 0 B : Unaddressed Port A is uplink to a 2924 where the servers and other stations are located. Now I simply exchange the cables, 10 for 11 and 11 for 10 and in a short time both ports are disabled. 9 : Suspended-no-linkbeat 10 : Disabled-violation 11 : Disabled-violation 12 : Suspended-no-linkbeat Now I switch the cables back and enable the ports. On the DOS station I have an old copy of FTP Lanwatch, I reboot and fire it up. I have not set a span port so all it sees are the broadcast packets but it does see them. I switch the cables again and only the Windows station causes the port to disable. Lanwatch keeps on trucking. 9 : Suspended-no-linkbeat 10 : Disabled-violation 11 : Enabled 12 : Suspended-no-linkbeat So the question remains if port security is beneficial for this application. If an unauthorized user does plug into the port, he/she must use an absolutely quiet program. (such as Lanwatch apparently) I don't know if the Unix(s) et al out there are absolutely quiet. It would be interesting to know what exactly happens when a device plugs into a port. You say that MAC frames are not exchanged. Well they don't have to be "exchanged". If the device talks then the switch listens and acts accordingly. Perhaps port security won't completely deliver the required protection, but it would supply enough protection against "most" computers and therefore would still be usefull - or it wouldn't hurt. The best protection here would be physical security of the switch. Kevin Wigle CCDP CCNP MCSE CBE CBI ----- Original Message ----- From: "Mark W. Odette II" To: Sent: Tuesday, September 17, 2002 4:02 PM Subject: RE: Port Security on 3550 [7:53446] > Or, to expand the question further, for a Windows-based sniffer, does > the Promiscuous Mode driver block even NetBIOS chatter from transmitting > on the NIC plugged into the SPAN Switch Port?? > > I've never paid attention to data captures for that, but I think that a > Windows-based Sniffer would give itself away by means of its NetBIOS > broadcast to identify itself with other Windows clients. If that > occurred, then I think the Port Security would come into action. > > Priscilla, care to comment?!?! > > Mark > -----Original Message----- > From: Kevin Wigle [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 17, 2002 2:25 PM > To: [EMAIL PROTECTED] > Subject: Re: Port Security on 3550 [7:53446] > > well I guess we're mixing up directions........... > > yes incoming from a device attached to a port on the switch. > > which would still help him but wouldn't be perfect. > > no, the port wouldn't shut down if a promiscuous mode nic was plugged > in. > It would receive everything. > > but that PC would not be able to send anything - to do so the switch > would > learn it's MAC - which > wouldn't match and the port would shut down. > > But consider this....... what info is passed between the switch and the > NIC > so that the Link light goes on? > I don't know... will the switch still learn the MAC even if "real" > traffic > is not passed? > > Kevin Wigle > > ----- Original Message ----- > From: "Sasa Milic" > To: > Sent: Tuesday, September 17, 2002 2:40 PM > Subject: Re: Port Security on 3550 [7:53446] > > > > Kevin, > > > > port security works by monitoring INCOMING traffic to the switch. > > If source mac in incoming packets is not the one configured, port > > is either blocked or snmp trap is sent. > > > > And what if another computer use the port without sending any > > traffic (just capturing traffic, without sending anything) ? > > Switch won't shut it down. > > > > Sasa > > > > Kevin Wigle wrote: > > > > > > well I think port security would still be helpful. Port security is > > > concerned with outgoing traffic from the port not incoming. > > > > > > setting the security to allow only one MAC would prevent another > computer > > > from using the port. > > > > > > If another computer tried to use the port with the wrong MAC then > the > port > > > would shut down after 90 seconds. > > > > > > Kevin Wigle > > > > > > ----- Original Message ----- > > > From: "Sasa Milic" > > > To: > > > Sent: Tuesday, September 17, 2002 1:20 PM > > > Subject: Re: Port Security on 3550 [7:53446] > > > > > > > With "port security" command, but it won't help you. Anyone > > > > can connect passive sniffer to that port, and switch won't > > > > block the port since there is no incoming traffic (you > > > > will configure port to be SPAN, right ? So anyone can sniff > > > > on that port). > > > > > > > > Sasa > > > > > > > > > > > > JohnZ wrote: > > > > > > > > > > How do you enable port security on a 3550. I want to use a port > for > > > sniffer > > > > > and want to make sure that only my laptop is able to gain access > on > > that > > > > > certain port. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53536&t=53446 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
