View Single Post
  #7   (View Single Post)  
Old 31st March 2012
ocicat ocicat is offline
Join Date: Apr 2008
Posts: 3,300

Originally Posted by daemonfowl View Post
Does bridging reinforce privacy ?
I'm coming back to this question again.

I assume you may be comparing the actions of switches & hubs. When using a hub (which is a Layer 1 device...), all packets are sent to all hosts, & each host will determine if the packets target them. If the host is not the designated receiver, the host will ignore the packet. If two hosts on the same LAN segment try to transmit at the same time, the packets will collide causing the communication to fail. Both senders will each wait a random length of time before attempting to transmit again. This is defined as a collision domain. Communication in a hubbed environment is half-duplex at best.

Switches are an improvement in that after a learning phase (seeding the ARP cache...), packet traffic is not sent to all hosts in the LAN segment. A virtual circuit is created only between the sending & the receiving hosts. Packet collisions can still occur, but they are limited to the two hosts in the virtual circuit, or for each port on the switch.

When using a hub, hosts can potentially set their network interfaces into "promiscuous mode" which means they can capture all network LAN traffic -- whether they are the designated recipient or not. This is how packet sniffers work.

A conclusion one might draw is that a switched environment is more secure than a hub environment. Slightly. If I want to eavesdrop on conversations in a switched environment, all I need is access to the switch itself. Most commerical grade switches have features such as port replication where any traffic going through a specific port can be duplicated elsewhere. I can still monitor specific network traffic in a switched environment. If the switch used does not support port replication, I can also use a network tap directly on the connection itself.

So to say that communication in a switched environment is more secure in & of itself, no. I simply just have to use more sophisticated methods to monitor traffic.

I will close quoting Ron Rivest of RSA fame:

Cryptography is about communication in the presence of an adversary.
If one is really concerned about privacy, encryption is required. Bridges/switches by themselves do not provide this. This isn't part of the set of problems they were designed to address. Switches are an evolution from hubs which allows Ethernet communication to be full-duplex. LAN segments can now support more than one active conversation between their hosts.

Last edited by ocicat; 31st March 2012 at 06:19 PM.
Reply With Quote