Solved: can LAN users username and psswds get captured

saidfrh18 · ‎09-02-2009

In a network that uses Cisco switches, can an unauthorized user connect a laptop to a port and capture usernames and password of employees logging in to their computers? Each port in the wall is connected to a port in the patch panel, and each port in the patch panel is connected to a port on the switch. I understand the above is possible in a hub environment.

Jon Marshall · ‎09-02-2009

Sam

There are 2 separate issues here.

The first is nothing to do with the switching infrastructure, it is to do with usernames/passwords being in cleartext or not. This is application specific and so i won't deal with that here.

The second is to do with switches. Unlike hubs switches do not forward unicast frames out of all ports, they only send it to the port with the correct mac-address associated with the unicast packet. Obviously if the packet is a broadcast or the unicast destination is unknown then the switch forwards it out all ports except the one it was received on.

However that doesn't mean that switches are secure with default config. There are many ways to "fool" the switch into doing something it shouldn't. Attached is a link to a good paper on securing campus lan switches -

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns17/networking_solutions_whitepaper0900aecd80459628.html

the specific part you want to look at is "man in the middle attacks" but the whole paper is very useful.

Jon

View solution in original post

Jon Marshall · ‎09-02-2009

Sam

There are 2 separate issues here.

The first is nothing to do with the switching infrastructure, it is to do with usernames/passwords being in cleartext or not. This is application specific and so i won't deal with that here.

The second is to do with switches. Unlike hubs switches do not forward unicast frames out of all ports, they only send it to the port with the correct mac-address associated with the unicast packet. Obviously if the packet is a broadcast or the unicast destination is unknown then the switch forwards it out all ports except the one it was received on.

However that doesn't mean that switches are secure with default config. There are many ways to "fool" the switch into doing something it shouldn't. Attached is a link to a good paper on securing campus lan switches -

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns17/networking_solutions_whitepaper0900aecd80459628.html

the specific part you want to look at is "man in the middle attacks" but the whole paper is very useful.

Jon

saidfrh18 · ‎09-02-2009

Jon,

Thanks. Out of the box, in a Win environment are the usernames and passwds in clear text or are they encrypted?

Said

Jon Marshall · ‎09-02-2009

Said

As far as i know in a windows environment to authenticate user passwords use MD5 hash ie. the passwords are never sent in clear text.

However if you telnetted to switch/router or a windows server running telnet server then passwords are in clear text.

Jon

saidfrh18 · ‎09-04-2009

Jon, have you configured The Easy VPN Remote feature for the ASA? "The feature pushes security policies defined at the central site to the remote device, so that it has up-to-date policies in place before a connection is established'. It would be helpful to set up policies like the client must have up-to-date MS patches and the latest antivirus strings inorder to establish a connection with HQ. How do you configure the policies and maintain them?