A switch is a network device that, like routers, forwards packets between LAN segments, providing somewhat of a subset of the functionality of a router, at a lower price. The simplest switches generally operate at the data link layer (OSI Layer 2), and base packet-forwarding decisions on physical device locations (for example, destination MAC address) rather than on supplied network-level rules for packet routing using IP network addresses, as in full routers.
Switches are useful in controlling access to network packets traveling on a wire. Since switches avoid making a packet sent by one host available to all other hosts on the switch (unlike hubs), the potential for sniffing is greatly reduced.
Of course, a caveat to this is that switches have been designed primarily to enhance network performance, not network security.
It is possible to barrage some switches with an excessive amount of traffic from unused MAC addresses, causing the switch to overflow its MAC address table and reconfigure itself into working just like a hub. Once the switch is in hub mode, traffic is no longer restricted and sniffing is once again possible. With another switch, frames are always forwarded to all ports on the switch and the switch processor is relied upon to explicitly tell all ports except the correct one to drop the frame. If there is an excessive amount of processing on the switch (say, from handling bad packets) the processor may not get around to telling the other ports to drop the frames and the frames are sent out on all ports, as with a hub.272 Another way to sniff switched traffic is to use spoofed ARP packets to misinform the switch of the MAC addresses for the hosts whose traffic you wish to sniff.273
Switches can be targets for attackers, who can gain access to administrative features of managed switches by using default passwords, or sniffing switch passwords sent in clear text via SNMP or telnet.
As with routers, improper configuration can be an issue limiting the effectiveness of a switch as a traffic isolation device. Also, as with all hardware, its important to watch for security-related firmware updates and install them when available.
272. Turner, Aaron D., Network Insecurity with Switches, http://synfin.net/docs/switch_security.html
273. Switching and VLAN Security FAQ, http://www.fefe.de/switch
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.