The Myth of Network Sniffing

An inordinate amount of security effort goes into preventing network sniffing. Well-designed protocols have some kind of protection built in against network sniffing. Kerberos, for example, is specifically designed to be resilient to intercepted packets. In fact, if you ask the average system administrator what the largest network security problems are, network sniffing will almost certainly be high on the list. Does that mean that network sniffing is one of the worst threats we face? No, not really.

Consider your network infrastructure. When most protocols were designed, 10 or more years ago, bus networks (often implemented using hubs) were common. In that environment, anyone with access to the medium had access to all traffic on the medium. And in that environment, sniffing is a very serious problem. The same holds true even today on wireless networks implemented without security. A wireless network without any security, including one using Wired Equivalent Privacy (WEP), is subject to sniffing very easily.

WEP is true to its nameit provides the same level of privacy available on wired networks: none. Without additional technology, the data on a wire isn't private. For wireless networks, 802.1X or Wi-Fi Protected Access (WPA) are considered to provide adequate security and privacy.

However, you probably don't have many hubs left in your wired network. Most networks are switched today. On a switched network, a wide area network, or a secured wireless network, sniffing usually means that one of three things has happened :

If a bad guy has taken over an endpoint, there's no point in sniffing traffic (unless the goal is to sniff logons and crack them). If that's the case, attackers can simply go get the information they want, as opposed to waiting for it to show up. This highlights one very important factor in wire sniffing: although you may get all the traffic, it's nontrivial to identify it as important, particularly not if it's part of a very large stream of information. When you take that into consideration, is number 2 even a viable attack? Even if the bad guy takes over an intermediate device, will he be able to tell whether the traffic is important? Of course, if the information wanted is preceded by the word password , the decision as to importance might be trivial.

That leaves us with number 3, which is probably the most serious of the wire sniffing attacks. Often, a man-in-the-middle attack can be carried out through social engineering (see Chapter 5, "Educating Those Pesky Users"). After the victim has been duped, a number of options open up. For example, the SMB reflection and SSL proxy attacks we mention in Chapter 8, "Security Dependencies," fall into this category. So do attacks such as ARP spoofing, where a bad guy sends ARP packets claiming to be a router, and DNS poisoning, where he attempts to subvert the DNS cache. Tools are available for detecting ARP spoofing. Nevertheless, on sensitive servers it may be useful to preload the ARP cache. DNS poisoning is relatively difficult, but can be performed using vulnerabilities in DNS. It is easily defeated using host identification, which we discuss later in this chapter.

None of this means we can disregard network sniffing as a viable attack. It does, however, mean that we shouldn't worry about it as much as some other types of attacks. This is a matter of seeing and understanding the whole security landscape and properly mitigating those threats that make the biggest difference. And because it's so much easier just to attack a computer (where there's a lot of usually unencrypted data) and get a huge return on investment, attackers are smart and almost always try to do that rather than take the time to sort through megabytes of sniffed traffic looking for a single credit card number.

Now that we've put things into perspective, let's proceed to where network protection can be used, what for, and how.