View Single Post
  #2   (View Single Post)  
Old 1st February 2009
Darwimy Darwimy is offline
Port Guard
 
Join Date: Jun 2008
Location: Germany
Posts: 36
Default

If the client does passive scanning it will be hard to prevent and detect this. But there are some limitations for the clients: If you use a switched network, they will only see traffic going the their own machines. To use a capturing software they usually need to be root / administrator. If you restrict the clients to ordinary users, it will be hard to start the capturing software.

However, if they are able to start software as root / administrator (i.e. by eploiting the local machine, password guessing etc.) they can capture network traffic. This is also true if they can just plug-in their own computer (i.e. a private laptop). They can use a technique called ARP-poisoning then to redirect traffic from other machines to their client.

The latter should be detected by IDS software like snort or others. It may also be able to detect the addition of new hosts to the network.
Reply With Quote