If a packet collides in the forrest...

mALtbALz · Dec 27, 2001

Hello to all my fellow network junkies.

I don't post here much, so I will try and make this as clear as possible. I have a small network at home,
one server, a linux firewall, and three other pc. All the computers are running 100baset cards, the cards work
just fine, BUT my problems start with an apparent packet collision fiesta on my hub. The packet collision light
goes berzerk whenever I transfer large amounts of data across the network. I can stream MP3s or look at
family pictures with no collisions whatsoever. When I watch home movies(Divx/AVI or Mpeg) across the network,
BAM el grande collision fiesta bonanza!!!!

The movies and all look great and no stuttering, but I am concerned that the collisions may be a bad thing.
Any thoughts or suggestions on how this may be remedied?

Network specs:
100baseTX 12-port hub with uplink
linux router/firewall (1-10baseT nic going to the cable modem, 1-100baseT nic uplink to the hub)
Dual P-Pro200 linux server with 100baseT nic
T-bird 1.4g with 100baseT nic
Other assorted computers with 100baseT nics...

Max cable length on lan:
150 Ft.

I think that covers it all. Thanks in advance.
Need more info, just ask.

spidey07 · Dec 27, 2001

Collisions are a normal function of ethernet. Don't worry about it unless you are seeing incredibly slow speeds.

FirmPete · Dec 27, 2001

As long as the movies don't stutter don't worry. It's because data tarnsfer while playing video is HUGH and since the hub transmits every packet to all ports, you'll get a constant "on" on the collision light.

If you don't want collisions buy a switch to replace the hub.

mALtbALz · Dec 27, 2001

Thanks, you all just saved me from buying a switch. I was hoping that the collisions were normal.
Guess i just needed to hear it from someone who knew more than I did.

sml · Dec 27, 2001

keep in mind you'll still gain added security and performance by switching from a hub to a switch when communicating with another machine on your local network.

Garion · Dec 27, 2001

Most DIVX movies are encoded at way less than 1Mb/s. Your 100BaseT hub network will likely max out around 50Mb/s. Noooo problem.

- G

n0cmonkey · Dec 28, 2001

<< keep in mind you'll still gain added security and performance by switching from a hub to a switch when communicating with another machine on your local network. >>

Ill agree with the performance, but desroying the security aspect of a switch is easy

Tallgeese · Dec 28, 2001

<< keep in mind you'll still gain added security and performance by switching from a hub to a switch >>

Security? With a switch?

hahahahahahahahahahha...good one!

n0cmonkey · Dec 28, 2001

<<

<< keep in mind you'll still gain added security and performance by switching from a hub to a switch >>

Security? With a switch?

hahahahahahahahahahha...good one! >>

Id give 50/50 odds on the typical script kiddiot not being able to sniff on a switch.

Tallgeese · Dec 28, 2001

<< Id give 50/50 odds on the typical script kiddiot not being able to sniff on a switch. >>

Cr@p! That leaves me out...

spidey07 · Dec 28, 2001

switches do count as security devices.

wedi42 · Dec 28, 2001

BAM el grande collision fiesta bonanza!!!!

OMG!!! OH NO! AIIIIIEEEEEEEEEEEEEEEE!!!!! NOOOOOO!O!OO!O!!!!

n0cmonkey · Dec 31, 2001

<< switches do count as security devices. >>

By whose standards? And in what situations?

spidey07 · Dec 31, 2001

As far as threat migitation is concerned there are many levels of security. Looks like a OSI model almost. Using a totally switched network does help prevent packet sniffing. Not fool proof, but it does help. Read some of the network security white papers and switches are ALWAYS mentioned as a piece of the security puzzle.

n0cmonkey · Dec 31, 2001

<< As far as threat migitation is concerned there are many levels of security. Looks like a OSI model almost. Using a totally switched network does help prevent packet sniffing. Not fool proof, but it does help. Read some of the network security white papers and switches are ALWAYS mentioned as a piece of the security puzzle. >>

Ok, but in my opinion the security aspect is not very good on switches. Its easy to get around. Too easy to make it a reason to use a switch. Performance is what switches really give you, and script kiddiots that know nothing wont know how to get around a switch. I would give you a link by dugsong, but its been censored by the DMCA.

sml · Dec 31, 2001

a switch is most certainly a security device. first off, any moron can't just drop their card into promiscuous mode to see what you're doing [a la hub] secondly, a well configured switch [like one I would configure

] is:

a> going to have MAC addresses tied to each port to prevent someone from unplugging the laser printer and plugging their laptop in.
b> is going to have some form of authentication tied in via TACACS+ or RADIUS before you even get a fully activated port
c> is going to have some protection against CAM table flooding to confuse the switch and get it to start broadcasting traffic everywhere.

n0cmonkey: it would be difficult for you to plug in a device i didn't know about on a switch set up like this, let alone pull some kind of dsniff BS on the network

[arpmitm, etc] - try ARPing if you can't even get an active port heh heh. obviously a SOHO switch doesn't have all these features, but you don't have as big of a threat to worry about on a small 8 port switch environment, mainly just people running tcpdump. hence, the switch is better for security and performance in this situation.

n0cmonkey · Dec 31, 2001

<< a switch is most certainly a security device. first off, any moron can't just drop their card into promiscuous mode to see what you're doing [a la hub] secondly, a well configured switch [like one I would configure ] is:

a> going to have MAC addresses tied to each port to prevent someone from unplugging the laser printer and plugging their laptop in. >>

[/i] >>

MAC addresses can be changed in software for some network cards

<< b> is going to have some form of authentication tied in via TACACS+ or RADIUS before you even get a fully activated port >>

Great if you have it.

<< c> is going to have some protection against CAM table flooding to confuse the switch and get it to start broadcasting traffic everywhere. >>

Anymore information on this one? I havent seen anything that would help protect against this. But Im no expert in networking thingies.

<< n0cmonkey: it would be difficult for you to plug in a device i didn't know about on a switch set up like this, let alone pull some kind of dsniff BS on the network [arpmitm, etc] - try ARPing if you can't even get an active port heh heh. obviously a SOHO switch doesn't have all these features, but you don't have as big of a threat to worry about on a small 8 port switch environment, mainly just people running tcpdump. hence, the switch is better for security and performance in this situation. >>

I dont have much experience with bigger switches. Most of the stuff Ive played with (at work and at home) has been the unmanaged switches. With addons like the TACAS or RADIUS you will definitely get better security, with the cost of more complexity. This would be the situations I was asking about, but I probably didnt phrase the question well enough to not sound like an a-hole

sml · Dec 31, 2001

<< MAC addresses can be changed in software for some network cards >>

you'd have to know what MAC to use, without getting on the network to see the ARP traffic to see what MACs were present. if all the machines are secured physically this is an arduous task

<< << b> is going to have some form of authentication tied in via TACACS+ or RADIUS before you even get a fully activated port >> >>

This is built into a lot of Cisco gear, you just need to set up a RADIUS or TACACS+ server to interface with it. The other cool thing is you can integrate your Cisco gear with an ACS [Access Control Server] to authenticate through some directory services such as NDS or AD.

<< << c> is going to have some protection against CAM table flooding to confuse the switch and get it to start broadcasting traffic everywhere. >> >>

<< Anymore information on this one? I havent seen anything that would help protect against this. But Im no expert in networking thingies. >>

sure. If your network is fairly static [these security measures are usually taken on switches full of servers or something of that nature] then you can configure a static ARP entry for each port, rather than allowing each port to figure it out. This prevents the switch from being overloaded when it gets a lot of ARP traffic / random MAC addresses flowing through it

If the router already has ARP info for a MAC, it can ignore new requests and that provides you with a bit more security. However, layer 2 is still not a totally securable piece of the puzzle, check out:
http://www.sans.org/infosecFAQ/switchednet/layer2.htm

dugsong's arpspoof tool is pretty fun to play with, the link is www.monkey.org/~dugsong/dsniff btw

[only his homepage says 'censored by the DMCA' last i checked].

n0cmonkey · Dec 31, 2001

<<

<< MAC addresses can be changed in software for some network cards >>

you'd have to know what MAC to use, without getting on the network to see the ARP traffic to see what MACs were present. if all the machines are secured physically this is an arduous task >>

Its easier if you have physical access to say a printer.

<<

<< << b> is going to have some form of authentication tied in via TACACS+ or RADIUS before you even get a fully activated port >> >>

This is built into a lot of Cisco gear, you just need to set up a RADIUS or TACACS+ server to interface with it. The other cool thing is you can integrate your Cisco gear with an ACS [Access Control Server] to authenticate through some directory services such as NDS or AD. >>

Ok, so this helps, but you need more than just the switch.

<<

<< << c> is going to have some protection against CAM table flooding to confuse the switch and get it to start broadcasting traffic everywhere. >> >>

<< Anymore information on this one? I havent seen anything that would help protect against this. But Im no expert in networking thingies. >>

sure. If your network is fairly static [these security measures are usually taken on switches full of servers or something of that nature] then you can configure a static ARP entry for each port, rather than allowing each port to figure it out. This prevents the switch from being overloaded when it gets a lot of ARP traffic / random MAC addresses flowing through it If the router already has ARP info for a MAC, it can ignore new requests and that provides you with a bit more security. However, layer 2 is still not a totally securable piece of the puzzle, check out:
http://www.sans.org/infosecFAQ/switchednet/layer2.htm

dugsong's arpspoof tool is pretty fun to play with, the link is www.monkey.org/~dugsong/dsniff btw [only his homepage says 'censored by the DMCA' last i checked]. >>

I lost the bookmark I had to his site, thanks for the link. That DMCA is just causing problems for everyone (dugsong, alan cox :/). Anyhow, this is why I love the networking forum. I can come in here and realize Im a moron sometimes. So a switch isnt secure, but like most things it can be made reasonably secure. I was pretty sure it could be done, but I focus mostly on the host systems themselves. Ill have to borrow my buddy's CCNA book when he is done with it to get a little idea of some of the things I can do with cisco products. Now, if only I could get my hands on a cheap cisco router/switch...

SANS courses rock by the way. I was able to get to one in Baltimore a while back and I had a lot of fun. I hope to be able to do it again. Thier UNIX track looked interresting.

sml · Dec 31, 2001

availability of radius/tacacs+ servers [any PC can do it] a quick search in the freebsd ports tree turns up:

Port: freeradius-devel-20010310
Path: /usr/ports/net/freeradius-devel
Info: A new RADIUS authentication and accounting server with loadable modules
Maint: wollman@lcs.mit.edu
Index: net
B-deps: autoconf213-2.13.000227_1 gettext-0.10.35 gmake-3.79.1 libtool-1.3.4_2 m4-1.4_1
R-deps:

Port: icradius-0.18.1
Path: /usr/ports/net/icradius
Info: A variant of Cistron RADIUS, but with a MySQL backend
Maint: serg@tmn.ru
Index: net
B-deps: mysql-client-3.23.47
R-deps: mysql-client-3.23.47

Port: radius-basic-3.6B1
Path: /usr/ports/net/radius
Info: A remote authentication server
Maint: ports@FreeBSD.org
Index: net
B-deps:
R-deps:

etc etc..

remember that Layer 2 wasn't designed for security, it was designed for performance and efficiency

Yeah, you can make a switch reasonably secure, but there's always the risk someone is sniffing your connection. The only truly effective countermeasure to this is encrypted traffic across the wire. good luck with your CCNA, although I feel most certifications are pretty much worthless, I picked up quite a bit of knowledge last time I was in a 'cert' class [Checkpoint FW-1 weeklong session]

n0cmonkey · Dec 31, 2001

<< remember that Layer 2 wasn't designed for security, it was designed for performance and efficiency Yeah, you can make a switch reasonably secure, but there's always the risk someone is sniffing your connection. The only truly effective countermeasure to this is encrypted traffic across the wire. good luck with your CCNA, although I feel most certifications are pretty much worthless, I picked up quite a bit of knowledge last time I was in a 'cert' class [Checkpoint FW-1 weeklong session] >>

I didnt get my Checkpoint cert, although I could use fw1 pretty well. I dont value certs at all, and I probably wont even go for a CCNA if I read the book. I like having the knowledge, I dont need a piece of paper to show someone that I can do it. Although it would help my resume out

mjquilly · Dec 31, 2001

easy fellas.....

n0cmonkey · Dec 31, 2001

<< easy fellas..... >>

Trying to take notes or are you thinking we're getting mean?

If a packet collides in the forrest...

Junior Member

No Lifer

Senior member

Junior Member

Member

Platinum Member

Elite Member

Diamond Member

Elite Member

Diamond Member

No Lifer

Platinum Member

Elite Member

No Lifer

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Golden Member

Elite Member