DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th March 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default Does bridging reinforce privacy?

Does bridging reinforce privacy ?

for instance, when I followed the manual .. I set three hostname. this way :
Code:
     bce0  :    up media 10base2
     wpi0 :     dhcp 
     bridge0  :   add bce0
                       add wpi0
                       up

Last edited by ocicat; 31st March 2012 at 04:50 PM. Reason: Adding [code] & [/code] tags for clarity...
Reply With Quote
  #2   (View Single Post)  
Old 29th March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,878
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
Does bridging reinforce privacy ?
The chief reason for bridging is to limit collision domains at Layer 2 of the OSI model. Since bridges exist on the "link layer" (which is another name for Layer 2...), they won't be seen at the IP address level or "Layer 3". Because of this, bridges & switches are called "transparent", but this has little to nothing to do with privacy.

If this terminology is bewildering, study the OSI model. An introduction can be found on Wikipedia:

http://en.wikipedia.org/wiki/Osi_model

Last edited by ocicat; 30th March 2012 at 12:42 AM.
Reply With Quote
  #3   (View Single Post)  
Old 29th March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,878
Thanked 190 Times in 160 Posts
Default

It is not uncommon for intermediate-level commercial switches (not low-end consumer switches...) to be marketed as "managed switches". These switches are accessible by IP address so that they can be configured ("managed") remotely.

In addition, there are what are known as "Layer 3 switches" which integrate a router into a switch. The purpose of these intermediate-level devices is to facilitate VLAN trunking all within the same device ("router-on-a-stick" is a common configuration...).

So not all switches/bridges exist solely at Layer 2, but for practical reasons, it is safe to think of switches as only Layer 2 devices.

And for what it may be worth, Henning is not a fan of Layer 3 switches.
Reply With Quote
  #4   (View Single Post)  
Old 30th March 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Thank you Ocicat !!
for me to fully grasp your last post I need to spend hours of reading .. I'm starting with wikipedia .. :-)
Reply With Quote
  #5   (View Single Post)  
Old 30th March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,878
Thanked 190 Times in 160 Posts
Default

This discussion has been separated from its parent thread:

http://www.daemonforums.org/showthre...3471#post43471
Reply With Quote
  #6   (View Single Post)  
Old 30th March 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Sorry Ocicat
I must apologize for this thousand time made mistake .. I'd rather have started a new thread ..
Reply With Quote
  #7   (View Single Post)  
Old 31st March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,878
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
Does bridging reinforce privacy ?
I'm coming back to this question again.

I assume you may be comparing the actions of switches & hubs. When using a hub (which is a Layer 1 device...), all packets are sent to all hosts, & each host will determine if the packets target them. If the host is not the designated receiver, the host will ignore the packet. If two hosts on the same LAN segment try to transmit at the same time, the packets will collide causing the communication to fail. Both senders will each wait a random length of time before attempting to transmit again. This is defined as a collision domain. Communication in a hubbed environment is half-duplex at best.

Switches are an improvement in that after a learning phase (seeding the ARP cache...), packet traffic is not sent to all hosts in the LAN segment. A virtual circuit is created only between the sending & the receiving hosts. Packet collisions can still occur, but they are limited to the two hosts in the virtual circuit, or for each port on the switch.

When using a hub, hosts can potentially set their network interfaces into "promiscuous mode" which means they can capture all network LAN traffic -- whether they are the designated recipient or not. This is how packet sniffers work.

A conclusion one might draw is that a switched environment is more secure than a hub environment. Slightly. If I want to eavesdrop on conversations in a switched environment, all I need is access to the switch itself. Most commerical grade switches have features such as port replication where any traffic going through a specific port can be duplicated elsewhere. I can still monitor specific network traffic in a switched environment. If the switch used does not support port replication, I can also use a network tap directly on the connection itself.

So to say that communication in a switched environment is more secure in & of itself, no. I simply just have to use more sophisticated methods to monitor traffic.

I will close quoting Ron Rivest of RSA fame:

Cryptography is about communication in the presence of an adversary.
If one is really concerned about privacy, encryption is required. Bridges/switches by themselves do not provide this. This isn't part of the set of problems they were designed to address. Switches are an evolution from hubs which allows Ethernet communication to be full-duplex. LAN segments can now support more than one active conversation between their hosts.

Last edited by ocicat; 31st March 2012 at 06:19 PM.
Reply With Quote
  #8   (View Single Post)  
Old 1st April 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Thanked 0 Times in 0 Posts
Default

Thank you very much, Ocicat !!
I understand part of your post while some points escape me ..
could I ask you about your encryption habits/choices (when sending mail or surfing the web) ?
Reply With Quote
  #9   (View Single Post)  
Old 1st April 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,878
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by daemonfowl View Post
could I ask you about your encryption habits/choices (when sending mail or surfing the web) ?
Since the subject of this thread is "Does bridging enforce privacy?", discussing email & encryption would be changing subjects. If you want to discuss a different topic, start a new thread.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bridging firewall with OPenBSD 5.0 scrummie02 OpenBSD Security 4 23rd January 2012 03:49 AM
OpenBSD, PF, bridging and 10gE mbw OpenBSD Security 6 5th January 2012 08:51 PM
EFF concerned over AIM privacy J65nko News 0 4th January 2012 06:14 PM
wired and wifi sharing but cant use bridging domdurocher OpenBSD General 8 6th October 2011 01:47 AM


All times are GMT. The time now is 05:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick