To guard against packet sniffing on your network
es and router
s instead of hubs - switches only forward packets to the ethernet address it's addressed to, so it can't be sniffed by a third-party. An entry level switch is only slightly more expensive than a hub, and will give a slight performance increase as well
If you're stuck with a poorly designed/cheaply implemented network, (as you might find in university halls of residence
, the greatest risk is from packet sniffing by people on your local segment
- they know the most about you, and can use sniffed information to their advantage most readily1
. Your best defense against this kind of thing is to use strong encryption
for everything you do:
Encrypt your email: Modern email programs can use SSL
when communicating with the server, preventing a sniffed session from yielding any passwords or emails. To protect against packet sniffing further down the line, interception by rogue admins, police
, the FBI
, etc. , the actual message has to be encrypted. Programs like PGP
make this process user-friendly.
Safety when web browsing: Don't use any passwords that you use anywhere else to access a website, and think carefully before submitting personal information2
. Most browser/server combinations send passwords and data completely unencrypted, unless they're using SLL (recognisable by a padlock icon, and https
:// in the location bar)
is your friend. If you have a shell account
that allows SSH port forwarding
, use it instead of a direct connection for any servers you use regularly, for example the web proxy3
, NNTP(newsgroups), email, and FTP (If you must use it).4
Finally, to transfer files from your shell account to your desktop, use SZ
over SSH instead of FTP.
Unsafe applications: Don't use protocols that pass plain-text passwords. These include, but are not limited to, FTP
, windows SMB
filesharing protocol, unix NFS
filesharing protocol, and just about any others that were designed in the eighties
. If you absolutely have to use these, do it over an SSH port forward, or use a version that incorperates TLS.
1 - Not to mention that everyone's data goes through the main switch or internet gateway, so if the admins wanted to sniff you, there's not a lot you could do about it.
2 - Even if the session isn't sniffed, how do you know the webmaster can be trusted?
3 - On most networks, outgoing web traffic is transparently redirected through their web proxy anyway, so talking to it directly over an encrypted link gives security at no loss of speed.
4 - In theory, at least, the admins are probably more trustworthy and professional than your roommate is...