[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] [PATCH] promiscuous mode



On Mon, 2005-12-05 at 11:04 -0500, Steve Grubb wrote:
> > I'd want to know of some other system on my network went into
> > promiscuous mode, but that system probably isn't being being
> > audited. :-)
> 
> That's the basic idea. The events go to a central audit log analyzer in the 
> data center and the admin can see that a particular machine went into 
> promiscuous mode.

If a hostile user puts a machine in promiscuous mode then it's most
likely that the security of the machine in question has been broken, and
there is a possibility that a hostile device has been connected to the
network.  In either case it seems likely that an audit message won't
propagate to a central server.

The real solution to this (IMHO) is smart switches that don't permit ARP
spoofing etc.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]