On Mon, 22 Apr 2002, George Toft wrote:

> Check out:
> http://rr.sans.org/switchednet/switch_security.php
>
>   Contrary to popular belief, it is very possible to sniff the network when
> you're on a
>   switch. So even if you change the administrator password(s) and the SNMP
> community
>   strings, you may still be vulnerable to switch hijacking. The easiest way to
> sniff a
>   switched network is to use a tool called ``dsniff'' which tricks the switch
> into sending
>   packets destined to other systems to the sniffer. [4] Dsniff not only captures
> packets
>   on switched networks, but also has the functionality to automatically decode
> passwords
>   from insecure protocols like telnet, HTTP, and SNMP, which are commonly used
> to manage
>   switches.

Good points.  Personally, I don't rely on VLANs for security.  I prefer to
physically isolate each group.  But your point is well taken.  Switches
are susceptible to sniffing, but it requires more effort than it would on
a network connected through a hub where you can simply run tcpdump and
watch everything go by.  So in that sense, I suppose that switches provide
improved security over hubs.
~M