Dropped Packets

Network Switches are not more secure than Network Hubs.  Some professionals evangelize: “Switches are more secure than hubs!”  This is patently false.  Switches are no more secure than hubs and in some cases they are actually worse!!

Network Switches Are Not More Secure than Hubs

Switches and hubs are used to build computer networks.  Computers are plugged into these devices via Ethernet cable.  Switches and hubs copy network traffic from one host and send it to others.  The difference between the two is that the hub broadcasts traffic to all of its ports.  This means that a computer’s network traffic will be sent to every computer connected to the hub.  It is up to the connected computer to disregard or accept that traffic based on the address.  Switches perform this filtering and only send traffic destined for specific addresses.  This is misleading and makes people think that switches are more secure than hubs.

Switches

Switches however, are certainly important to large organizations with a large number of employees.   Hubs may allow a knowledgeable employee to view their co-worker’s network traffic.  In this case, Human Resource records may be accessible to someone from a different department.  HR maintains records of sensitive personal employee information.  In the wrong hands, that information could be used to conduct credit fraud or create a harmful work environment.  A switch would help prevent this threat in a large network – but what about small networks like home offices and small businesses?

A lot of novice security professionals are misled and bullied into not securing their home networks.  They are told repeatedly by industry trainers, certification authorities, and the lot that they need to secure their home network with a switch.  This is ridiculous.  A switch is only secure so long as it is properly maintained, configured, and has advanced features that help protect the network.  Typical consumer switches are actually less secure than hubs.  This is the other reason switches are ideal for large enterprise networks.

Large corporations have System Administration staff that can maintain a switch.  Switches need regular maintenance.  They are much more complicated than a “dumb” hub.  They have to read addresses in packets and route them as appropriate. Switch firmware and software must be updated regularly.  Their configuration also has to be updated with changes in the network.  Some switches are difficult to work with and some vendors offer years of training and certifications to learn how to use a switch.

This is all overkill for home use.  How many people have a dedicated Network Staff and System Administrator for their home network? Alarmingly, a large number of cheap switches are sold for home use because “they are secure”.  When was the last time you updated the firmware in your switch? When was the last time your neighbor’s switch was upgraded? Never minding configuration, how secure are those switches? More importantly, cheap switches do not comprehensively offer a defensive solution.

Certainly, switches typically have a number of advanced features including defensive technologies.  Features include trunking, VLANS, and NAT.  These features have a performance cost as well as the human cost mentioned before.  The switch has to have enough processing power to support all of the feature use.  Quite often however, switches use slow processors.  Enabling more features means degraded performance.  How extreme is a gigabit switch if it crawls to 10Mbps when all of the features are enabled? The defensive features are modest on these switches.  Most switches usually support Network Address Translation.  That is good for a simple firewall, but it does not do state inspection or any other type of packet inspection.  That work is best reserved for a dedicated firewall.  These are features typically found in most switches, but most switches do not include the most important feature:  a Span Port.

The Span Port is one of the best ways to monitor traffic on the network.  Span ports copy traffic from all of the other ports on the switch.  This is how Intrusion Detection Systems, network analyzers, and other security tools protect the network.  Far too often, expensive switches do not have this option.  Rarely do cheap consumer switches have one.  If a switch does not have a Span Port, then another costly device known as a tap has to be purchased and used to protect the network.

A novice security professional, taking advice from a seasoned hacker, would buy a switch.  After connecting their IDS, they would think their network was indestructible.  The IDS would be as quiet as a mouse.  The only traffic the IDS would see is its own traffic!

Hubs

A hub is a perfect device for defending a home network or a small business with less than thirty computers.  It is an inexpensive device that allows Intrusion Detection Systems and other devices to be connected and protect the network.  It has the nice advantage of little to no maintenance.

A hub is inexpensive.  They typically do not require software updates because there really is not anything to update.  Hub software just broadcasts network traffic to all of its ports.  There is typically no advanced logic that a support staff has to update regularly.

Security Devices connected to a hub are able to see all traffic on the network.  The hub broadcasts all of the traffic on the network to every port.  This allows the security devices to see everything for every computer.  This is very different than a switch.

A switch is less secure in a small network because it hides hacker traffic!  Network traffic on small cable/DSL routers cannot be monitored.  There is no way to know whether or not malicious traffic or intruders are on your network!  The switch actually hides the bad traffic!! In this case, switches are actually the worse device to have on a network.  They are most certainly not more secure than a hub.

Conclusion

Switches are not more secure than a hub.  They can in fact be a hazard to the defense of a network.  Their ability to hide information is a doubled-edged sword that will easily cut their owner.  Use a hub to defend a network.  It is the cheapest and easiest way to see all network traffic.  Network defense devices may be connected to it they will be able to do their job.