Packet Sniffing Countermeasures
As told earlier a hub network is more prone to sniffing so its better to use switch instead of hub. Switch will not only reduce chances of sniffing but will also increase performance of network. But switch merely can't act as countermeasure against packet sniffing. As you know if hacker uses ARP spoofing he/she can easily sniff packets from switched network. So a switch can never be a complete solution to packet sniffing. Countermeasure against sniffing also depends upon size of network I.e is your network small as 20-50 computers or its large as 1000-2000 computers or more
.
.
We can say that a network with 20-50 computers is relatively small as compared to network with more than 1000 and 2000 computers. In small networks adding a static IP address and static ARP can help prevent ARP poisoning. By doing so a computer with specific MAC address will always get same IP address in spite of how many times it reboots or restarts. This will prevent ARP poisoning in switched network in small scale network.
In windows you can you can create static ARP entry by typing following commands,
C:\>arp -s IP_address MAC_address
Example:
C:\>arp -s 198.145.40.28 00-aa-00-bb-00-cc
Above command will give same IP address 198.145.40.28 to computer with MAC ID 00-aa-00-bb-00-cc no matter how many times it reboots or restarts, its IP address will not change. In Linux and UNIX systems adding entries will differ from system to system, type man arp or info arp to get more information on how to configure ARP table on your version of UNIX or UNIX like system.
There are several tools available to make your job easy to enter details in ARP table Google for more information for your version and platform of system.
Now no matter how simplified tool you use for adding ARP table entries, on large network it will surely be a fool's job also it will not guarantee anti-sniffing. So for large networks enable the network feature known as “Port Security” this feature allows only one MAC address for each physical port. Thus only one MAC address will be permitted to each machine this will disallow attacker to use ARP based man-in-the-middle attack I.e ARP poisoning.
Now reality is that Port security can disallow sniffing from internal network but what if attacker is someone who is using hardware protocol analyzer for sniffing. There's no way any of above techniques can stop him from sniffing from a network. Final word of day against sniffing is encryption, though it'll not disallow sniffing completely but the sniffed data will be in encrypted form which will disallow disclosure of information. Again no matter how big your network is you must use static ARP table in area where sensitive information flows from network.
Companies and organization should warn their employees and members not to use services which specially needs authentication or use tunneled connection with IPSec protocol enabled when they want to perform some authentication based communication. Lastly a system or network administrator should regularly scan network with sniffer detection tools like ARP Watch, Promiscan, Anti-Sniff, Prodetect, Kitti Litter etc the list is big, you can find find numerous tools paid and open source depending on your platform of operation.
In short,
- Use switch instead of hub
- Maintain static ARP table for sensitive regions
- Use Encryption like SSH over communication
- Educate Employees
- Use Sniffing Detection Tools
I hope that would be easy and detailed info for countering sniffing, if you still have any problem please feel free to ask. Thanks for reading and keep visiting.
