2

Scenario: I have a rack of servers that all belong to the same private VLAN. I transfer data from Server 1 to Server 2. Is it possible for any of the other servers to sniff out the data sent or is that only possible from the Router/Switch?

The reason I ask is I am trying to decide if it is safe to transfer unencrypted files via a private network if there are other servers on that private network that might be able to sniff it out, aka virtual servers or leased dedicated servers. The overhead of SSH encryption can be pretty high for transferring a lot of data.

Devon
  • 810

4 Answers4

4

Yes it's possible to do using an ARP spoofing attack. Or if the switch was configured for port mirroring.

Services provided by companies like Amazon avoid that by placing each customer's server inside it's own VLAN-like environment. To get outside the VLAN requires a router (in Amazon's case provided by an elastic IP). The net result is that in the Amazon or similar setup, you cannot do an ARP spoof attack to see other inter-server data.

hookenz
  • 14,848
4

In a typical setup with a datacenter provided switch, all your servers plus (maybe) their router will be on your private VLAN. If this is the case you should be ok. All of the datacenter's switches can see the traffic, but their other customers can't. Many setups provide a private LAN as well as an internet connection. Make sure you are transfering on the private connection.

It sounds like there are other servers on your private VLAN. In that case, its not so private is it. You need things setup so only your servers are on your private LAN.

Even with that change a misconfiguration of the switch or intentional snooping on the datacenter's part could reveal your traffic. So you may still want encryption, but really if you don't trust the datacenter you have bigger problems.

Grant
  • 18,125
  • 14
  • 75
  • 104
1

Basically not. It is possible through using

  • ARP Spoofing attack (when hacked server tells switch "I am Server2's ip")
  • Sniffing on a switch (it may be hacked or configured with Port Mirroring (when traffic from Server1 to Server2 mirrors to Server3)
  • If they are not in the same network segment, sniffing is possible on gateway

Just use SSL with predefined private keys from each side and it will be OK

filimonic
  • 325
0

If there are other servers in your layer 2 vlan, they can intercept traffic by arp spoofing. However, a private vlan usually means only your devices are on it. In that case, there's no way (barring misconfiguration or malice on the side of the provider) that another server could get your traffic.

Now, as for whether or not it's safe to transfer unencrypted data: it depends. If this vlan is provided to you by a third party, you don't know what they're doing with the frames you send. They could have a port mirror set-up and have every frame you send mirrored somewhere else. They could just be using sFlow or netFlow and have some amount of frames be sent to another box to keep statistics. Since you're not the one providing the network, you can't know for sure. So if your data is sensitive and you want to be safe, encrypt.

By the way, I find that modern servers have no trouble at all saturating a GigE link using SSH.

marco
  • 56