How do I protect my network against dsniff?
At layer-2: Enabling port security on a switch or enforcing static arp entries for certain hosts helps protect against arpspoof redirection, although both countermeasures can be extremely inconvenient. At layer-3: IPSEC paired with secure, authenticated naming services (DNSSEC) can prevent dnsspoof redirection and trivial passive sniffing. Unfortunately, IPSEC’s IKE is an overblown key exchange protocol designed by committee, so unwieldy and perverse that widespread deployment across the Internet is almost unthinkable in the immediate future. At layer-4: Don’t allow proprietary, insecure application protocols or legacy cleartext protocols on your network. dsniff is useful in helping to detect such policy violations, especially when used in magic (dsniff -m) automatic protocol detection mode. This is largely a matter of remedial user education perhaps best left to the experienced BOFH. 🙂 Strong, trusted third-party network authentication (such as Kerberos) isn’t generally subject to t
