Re: [squid-users] Re: squid_ldap_auth and passwords in clear text from Henrik Nordstrom on 2008-11-18 (squid-users)

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 18 Nov 2008 10:15:54 +0100

On sön, 2008-11-16 at 10:48 -0800, Chuck Kollars wrote:

> Eavesdropping on all network traffic from any connection used to be a big problem when network hubs repeated all traffic everywhere. Although Ethernet has changed hugely, the old paranoia remains. Any modern device is
> a "switch" (not a "hub") and only directs traffic to the one port it's destined for, so nobody else can eavesdrop.

It's usually almost as easy to eavesdrop on selected traffic in a
switched environment, only requires some small amount of extra
preparation to get the traffic flowing in your direction.

> Of course even with "switches" you should take some reasonable precautions:
> 1) Ensure whatever you do to get your sniffer to work is inaccessible to users.

Usually the steps taken by an network admin to run a sniffer is very
different from an attacker. A serious network admin uses a dedicated
station for the purpose, connected to a mirror port on the switch.. an
attacker uses a compromised station or server (or in very rare cases of
physical access plugs his own gear in a free or borrowed network socket)

> 2) Keep all network infrastructure physically inaccessible, perhaps by locking the wiring closets.

Doesn't help when there is a compromised station on the network, unless
you both configure the switch to lock ports on mac addresses and smart
ARP filtering.

> 3) Restrict (password protect and more) and monitor "remote" access to all network infrastructure devices.

As above.

> 4) Keep all servers (Squid, etc.) physically inaccessible.

As above.

> 5) Severely restrict (or disallow altogether) "remote" access to all servers (ex: only SSH and never as root and only with a public/private key).

Agreed.

> 6) Avoid using those cheap "mini-hubs" (often 5-port) unless you're sure your model really function as switches despite their name.

Not sure it's very relevant.. and most do function as switches despite
their price.. but just don't expect the be able to push a full matrix of
traffic over them...

Regards
Henrik

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Nov 18 2008 - 09:16:01 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 18 2008 - 12:00:03 MST