I've discovered a sniffer on a box that was just allocated to me. Without going into the details of who provided me that box, there are some issues nagging at me.

1. Looking at the tcp.log file it's captured so far has awakened me to the possibility that the box may not in fact be on a switched network. My interface has a single ip bound to it but was running in promiscuous mode due to the sniffer. It captured connection attempts from ips to ips which were not bound to my interface at all. Does this strongly imply that I am simply connected to a hub? (if the answer to this is no, then the following questions probably become meaningless).

2. It seems to me that having web servers, or any type of servers for that matter, on a hubbed network is asking to be compromised. My question and challenge to the hosting providers therefore is this: do you provide switched-only networks? And do those of you who provide some hubbed networks dare to stand out and say that you do?

3. (I have no clue about this, but) are there actually any manageable hubs around? ie. hubs that can provide snmp data for mrtg graphs, or can otherwise chart bandwidth usage without double-counting traffic use by other parties on the hub?

Switches do not yield any security improvements.

First, whenever a switch doesn't know where a packet should go (ie, the MAC address isn't inside the switch's cache) it will broadcast the packet to all the interfaces. This could be the reason you're seeing connection attempts to other IP addresses -- if you see SYN packets but no later packets, odds are that when the SYN packets arrive the switch doesn't know where to send them, but thereafter it is sending packets to the correct destination.

Second, almost all switches can be spoofed. If another machine on your network claims to have your MAC address, a switch may send packets to you, may send them to the other machine, and may send them to both machines.

Third, almost all switches can be forced into hub mode. Because of the limited size of the MAC caches, if a switch is flooded with random MAC entries, it will not know where to send *any* packets, and so it will revert to sending all packets to all ports -- ie, what a hub normally does.

Basically, switches are useful for performance reasons, but not for security reasons.

yes, good points. don't know why i didn't think of that :)

that makes me feel so much better now :)