In message <x73dn2h7f9.fsf@capsicum.wsrcc.com>Wolfgang Rupprecht writes
>
>> That's easy - replace all your 10base-T hubs (and thinnet) with
>> switches. Can't sniff what you can't see. 8-port 10/100 FDX switches
>> are around $100 now.

Mmm, more devices to fail :).

The eight-port 1/100 devices I've seen in the $100 braket looked like
two four-port hubs connected via a "bridge": no switching
(thus no isolation) within the four-port group.


>I am told this will help, but not completely prevent sniffing.
>Switches will still broadcast a packet to each port if their internal
>arp cache doesn't contain an interface mapping of the destination MAC
>address to destination interface.  A DOS attack against the switch's
>arp table (by overflowing it etc) should get it to fall-back to
>broadcast mode.

I *like* that.  But reserving one ARP entry for each port will defeat
that attack in the common case of a single peer (and thuse one MAC
address) per port.