No announcement yet.

Sniffing - Mitigations

  • Time
  • Show
Clear All
new posts

  • Sniffing - Mitigations

    As a penetration tester it is your job to put in place some sort of prevention to secure the target system from your findings during the pentest.

    Here are some defensive mitigations from sniffing
    • Use a hardware switched network for the most sensitive portions of your network in an effort to isolate traffic to a single segment or collision domain.
    • Implement IP DHCP Snooping on switches to prevent ARP poisoning and spoofing attacks.
    • Implement policies preventing promiscuous mode on network adapters.
    • Be careful when deploying wireless access points, knowing that all traffic on the wireless network is subject to sniffing.
    • Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPSec.

    Other ways of hardening a network against sniffing
    • Static ARP entries, which consists of preconfiguring a device with the MAC addresses of devices that it will be talking to ahead of time. This does not scale well and is cumbersome to manage.
    • Port security is used by switches that have the ability to allow only specific MAC addresses to send and receive data on each port.
    • IPv6 has security benefits and options that IPv4 does not have.
    • Replace protocols such as FTP and Telnet with SSH or other secure alternative that support encryption.
    • Virtual Private Networks (VPNs) can provide an effective defense against sniffing due to their encryption aspect.
    • SSL/TLS is a great defense against sniffing and can be used in conjunction with other insecure protocols. IPSec too.

    Even though the gain is limited, port security is also a protective measure. Port security is a low-level security methodology that allows only a specific number of MAC addresses to attach to each switch port. Usually just one or two MAC addresses are allowed on each port. Note that if the network is dual stacked, IPv4 and IPv6 will have different MAC addresses even though they are from the same host. If the number of allowd MAC addresses is exceeded the port might shut down or raise an alarm depending on the configuration on that particular port.
    This can be defeated by MAC spoofing if the attacker has the ability to obtain an accepted MAC address but still protects against MAC flooding.

    Aside from pure defense, it is possible to be proactive and use detection techniques designed to locate any attempts to sniff and stop them.

    These methods include
    • Look for systems running network cards in promiscuous mode. Under normal circumstances there is little to no reason for a network card to be in promiscuous mode and as such all cards running in this mode should be investigated.
    • Run an Network Intrusion Detection System (NIDS) to detect telltale signs of sniffing and track down the source of the issue.
    • Tools such as HP's Performance Insight can provide a way to view the network and identify strange traffic.

    Certified Security Geek