Sniffer..?

Sniffers

Sniffers are almost as old as the Internet itself. They are one of the first tools that allowed system administrators to
analyze their network and pinpoint where a problem is occurring. Unfortunately, crackers also run sniffers to spy on your
network and steal various kinds of data. This paper discusses what a sniffer is, some of the more popular sniffers, and
ways to protect your network against them. It also talks about a popular tool called Antisniff, which allows you to
automatically detect sniffers running on your network.

Who uses Sniffers ?

LAN/WAN administrators use sniffers to analyze network traffic and help determine where a problem is on the network. A
security administrator could use multiple sniffers, strategically placed throughout their network, as an intrusion detection
system. Sniffers are great for system administrators, but they are also one of the most common tools a hacker uses.
Crackers install sniffers to obtain usernames, passwords, credit card numbers, personal information, and other
information that could be damaging to you and your company if it turned up in the wrong hands. When they obtain this
information, crackers will use the passwords to attack other Internet sites and they can even turn a profit from selling
credit card numbers.
Defeating Sniffers
One of the most obvious ways of protecting your network against sniffers is not to let them get broken into in the first
place. If a cracker cannot gain access to your system, then there is no way for them to install a sniffer onto it. In a perfect
world, we would be able to stop here. But since there are an unprecedented number of security holes found each month
and most companies don�t have enough staff to fix these holes, then crackers are going to exploit vulnerabilities and
install sniffers. Since crackers favor a central location where the majority of network traffic passes (i.e. Firewalls, proxies),
then these are going to be their prime targets and should be watched closely. Some other possible �victims� where
crackers like to install sniffers are next to servers where personal information can be seen (i.e. Webservers, SMTP
servers).
A good way to protect your network against sniffers is to segment it as much as possible using Ethernet switches instead
of regular hubs. Switches have the ability to segment your network traffic and prevent every system on the network from
being able to �see� all packets. The drawback to this solution is cost. Switches are two to three times more expensive then
hubs, but the trade-off is definitely worth it. Another option, which you can combine with a switched environment, is to
use encryption. The sniffer still sees the traffic, but it is displayed as garbled data. Some drawbacks of using encryption
are the speed and the chance of you using a weak encryption standard that can be easily broken. Almost all encryption
will introduce delay into your network. Typically, the stronger the encryption, the slower the machines using it will
communicate. System administrators and users have to compromise somewhere in the middle. Even though most system
administrators would like to use the best encryption on the market, it is just not practical in a world where security is seen
as a profit taker, not a profit maker. Hopefully the new encryption standard that should be out shortly, AES (Advanced
Encryption Standard), will provide strong enough encryption and transparency to the user to make everybody happy.
Some form of encryption is better then no encryption at all. If a cracker is running a sniffer on your network and notices
that all of the data that he (or she) is collecting is garbled, then most likely they will move on to another site that does not
use encryption. But a paid or determined hacker is going to be able to break a weak encryption standard, so it is better to
play it smart and provide the strongest encryption as long as it will not have everybody giving you dirty looks when you
walk down the halls at work.