trust between computer systems.
Network Segmentation
A network segment consists of a set of machines that share low-level devices and wiring and see
the same set of data on their network interfaces. The wires on both sides of a repeater are
clearly in the same network segment because a repeater simply copies bits from one wire to the
other wire. An ordinary hub is essentially a multiport repeater; all the wires attached to it are
part of the same segment.
In higher-level devices, such as bridges, something different happens. The wires on opposite
sides of a bridge are not part of the same segment because the bridge filters out some of the
packets flowing through it. The same data is not flowing on both sides of the bridge. Some
packets flow through the bridge, but not all. The two segments are still part of the same
physical network. Any device on one side of the bridge can still send packets to any device on
the other side of the bridge. However, the exact same sets of data packets do not exist on both
sides of the bridge. Just as bridges can be used to set up boundaries between segments, so can
switches. Switches are essentially multiport bridges. Because they limit the flow of all data, a
careful introduction of bridges and switches can be used to limit the flow of sensitive informa-
tion and prevent sniffing on untrustworthy machines.
The introduction of switches and bridges into a network is traditionally motivated by factors
other than security. They enhance performance by reducing the collision rate of segments,
which is much higher without these components. Switches and bridges overcome the time
delay problems that occur when wires are too long or when simple repeaters or hubs introduce
additional time delay. As one is planning the network infrastructure one should keep these
other factors in mind as well. One can use these factors to sell the introduction of additional
hardware to parties less concerned with security.
A segment is a subset of machines on the same subnet. Routers are used to partition networks
into subnets. Hence, they also form borders between segments in a network. Unlike bridges
and switches, which do not interact with software on other devices, routers interact with
network layer software on the devices in the network. Machines on different subnets are always
part of different segments. Segments are divisions within subnets, although many subnets
consist of a single segment in many networks. Dividing a network into subnets with routers is
a more radical solution to the sniffing problem than dividing subnets into segments. However,
as you will see in a later section, it may help with some spoofing problems.
Segmentation of a network is the primary tool one has in fighting sniffing. Ideally, each
machine would be on its own segment and its interface would not have access to network data
for which it is not the destination. This ideal can be accomplished by using switches instead of
hubs to connect to individual machines in a 10BASE-T network. As a matter of practicality
and economics, however, one must often find a less ideal solution. Such solutions all involve
the notion of trust between machines. Machines that can trust each other can be on the same
segment without worry of one machine sniffing at the other’s data.
Understanding Trust
Typically, one thinks of trust at the application layer between file servers and clients. Clearly,
the file server trusts its clients to authenticate users. However, this notion of trust extends to
lower-level network devices as well. For example, at the network layer, routers are trusted to
deliver datagrams and correct routing tables to the hosts on their networks. Hosts are trusting
of routers and routers are trusted machines. If you extend the concept of trust down to the
data link layer one gets to sniffing. A machine sending data considered private on a particular
network segment must trust all machines on that network segment. To be worthy of that trust,
the machines on the segment and the wiring between them must have sufficient physical
security (locks on doors, armed guards, and such) to ensure that an attacker cannot install a
sniffer on that segment.
The threat of sniffing comes from someone installing sniffing software on a machine normally
on the network, someone taking a sniffer into a room and jacking it into the network connec-
tions available there, or even installing an unauthorized network connection to sniff. To
counter these options, you must rely on the security of the operating system itself to prevent
the execution of unauthorized sniffing, the personal trustworthiness of the people who have
access to the rooms in which network components are located, and physical security to prevent
untrustworthy people from gaining access to these rooms.
Hardware Barriers
To create trustworthy segments, you must set up barriers between secure segments and
insecure segments. All of the machines on a segment must mutually trust each other with the
data traveling on the segment. An example of such a segment would be a segment that does
not extend outside the machine room of a computing facility. All machines are under the control of a cooperating and mutually trusting systems staff. The personal trust between staff
members is mirrored by the mutual trust between the systems for which they are responsible.
The opposite of this is the belief and understanding that some segments simply must be
considered insecure. Insecure segments need not be trusted if those segments carry only public
or non-critical data. An example of such a segment is a university laboratory used only by
students. No guarantee of absolute security is made for the information stored. Possibly the
students realize that for this network drive only reasonable precautions will be taken to
maintain privacy by enforcement of password protections, file system access lists, and regular
backups.
It is less clear where to draw the line in a more professional business setting. The only basis for
trust between machines is for trust between the people who control the machines. Even if a
person can be trusted personally in an ethical sense, he or she may not be trustworthy techni-
cally to administer a machine in such a way that an attacker could not abuse the machine
under his or her control.
Suppose a set of machines has a set of trust relationships as shown in figure 6.5 (an arrow
points from the trusting machine to the trusted machine). One needs to connect them to the
network in such a way that two machines that do not trust each other are on the same segment
and provide appropriate physical security to avoid tampering with a trusted machine. One
such partitioning is shown in figure 6.6 (the lines between segments indicate that the segments
are connected by a device that limits data flow, such as a bridge).
Secure User Segments
Security is a relative thing. How secure you make a segment is related to how much control
you take away from the technically untrustworthy end user who uses the network in a location
with limited physical security.
In some settings, you may consider it appropriate to remove control of a machine from the end
user because you cannot trust the end user from a technical standpoint. However, to actually
remove control from the end user and prevent the end user machine from being used for
sniffing, the machine on the end user’s desk essentially becomes a terminal. This may seem
disheartening, but keep in mind that terminals such as X Window System terminals provide
the user with all the functionality of a workstation for running most Unix application soft-
ware—they also have no moving parts and are virtually maintenance free.
If the end user cannot be trusted or if the software on a desktop machine could be altered by
the authorized end user because of the machine’s physical location, then the machine should
not be a personal computer. For the purposes of this discussion, a personal computer is one
that runs an operating system such as DOS, Windows 3.1, or Windows 95. These operating
systems lack the notion of a privileged user in the sense that any user can run any program
without interference from the operating system. Hence, any user can run a sniffer on such a
system. PCs have always been popular because they can be customized by the end user. No
system administrator can restrict what the end user can and cannot do with one of these
machines. In highly secure settings, machines that use these operating systems are set up
without local disks to prevent installation of unauthorized software such as a sniffer. Essen-
tially, they become terminals that offload some of the work from the central, physically secure
server.
A workstation running an operating system such as Windows NT, Unix, or VMS provides an
extra degree of protection because these systems include privileged users, also known as
superusers (“administrator” in NT, “root” in Unix, and “system” in VMS) who must know a
special password. These operating systems only allow access to certain hardware level opera-
tions to superusers. If the end user has ordinary user access to the machine on his or her desk
but does not have superuser privileges, then the machine can be trusted to a larger degree than
the user. It is still possible to bring alternative boot media to most workstation-class operating
systems and obtain superuser privileges without knowing the superuser password. The more
secure systems, however, limit the user’s ability to install software. Usually the only software
that can be installed by the user is the operating system.
Note I once had to review the security arrangements on a set of (DECstation 3100)
workstations. The system administrator in charge of the local network had desig-
nated the workstations secure enough to be trusted by the file server to NFS mount a
file system containing mission-critical data directories. I turned one of the worksta-
tions off, waited a second and turned it back on. After a self-test, it came up with a
boot monitor prompt. I was familiar with similar machines and knew I had two
alternatives, but was unsure what the effective difference would be on this particular
model of workstation. As it turned out, one command (auto) would boot the
workstation directly into Unix multiuser mode, which is what the system administra-
tor had always done. The system administrator was unaware of the results of trying
the alternative command. When I tried the alternative command (boot), the worksta-
tion booted directly into Unix single-user mode and gave the person at the keyboard
superuser privileges without being required to issue a password.
These workstations clearly were not sufficiently secure to be trusted to NFS mount
the mission-critical disks. The documentation supplied with the workstations did not
mention it. However, it turned out that the single-user mode can be password
protected with a password stored in non-volatile RAM under the control of the boot
monitor. Password protection made these workstations sufficiently secure to be
trusted to mount the mission-critical disks. Absolute security is out of the question,
since one can still reset the non-volatile RAM by opening the system box. On other
systems, the password may be circumvented with other methods.
Although this story has little to do with sniffing, it illustrates how trust can often lead
to unexpected risks on machines outside the server room. By obtaining superuser
privileges, a user could not only sniff data, but do much more serious damage.
