Scenario: I have a rack of servers that all belong to the same private VLAN. I transfer data from Server 1 to Server 2. Is it possible for any of the other servers to sniff out the data sent or is that only possible from the Router/Switch?

The reason I ask is I am trying to decide if it is safe to transfer unencrypted files via a private network if there are other servers on that private network that might be able to sniff it out, aka virtual servers or leased dedicated servers. The overhead of SSH encryption can be pretty high for transferring a lot of data.

  • 780
  • 1
  • 9
  • 20
  • Don't use SSH for transport encryption. IPSec in transport mode is made for *precisely* this use case, and is stupid simple to get set up. – EEAA Jun 23 '14 at 02:44
  • When you say "any of the other servers", do you mean other servers in the private VLAN? If not, what "other servers" do you mean? – David Schwartz Jun 24 '14 at 03:59
  • @DavidSchwartz. Yes, the other servers in the rack. – Devon Jun 24 '14 at 16:59

4 Answers4


Yes it's possible to do using an ARP spoofing attack. Or if the switch was configured for port mirroring.

Services provided by companies like Amazon avoid that by placing each customer's server inside it's own VLAN-like environment. To get outside the VLAN requires a router (in Amazon's case provided by an elastic IP). The net result is that in the Amazon or similar setup, you cannot do an ARP spoof attack to see other inter-server data.

  • 14,132
  • 22
  • 86
  • 142
  • Thanks for the info. This is what I was worried about. So encryption is necessary for a private network, unless you manage every network device behind it I suppose making rsyncd fairly useless in my opinion. Is there anything more one can do to decrease encryption overhead than changing the cipher? – Devon Jun 22 '14 at 22:04
  • 2
    @matt I believe port mirroring is the term you are looking for. – Grant Jun 22 '14 at 22:59
  • Devon, you can do rsync over SSH. Yes encryption is overhead but I think you might be over estimating the overhead. It may not as much overhead as you think. I can't think of any other way around it except having the two servers inside their own VLAN. Otherwise just accept that there is overhead and put up with it. – hookenz Jun 23 '14 at 01:12
  • FYI - AWS doesn't use VLANS, bit rather another proprietary custom-built solution. – EEAA Jun 23 '14 at 02:31
  • Ahh, they don't? ok I've updated my answer to reflect that. Many VPC providers don't provide too much technical detail and we have to deduce the answers through some probing the VM etc to see what it reveals. – hookenz Jun 23 '14 at 03:08
  • There was a session I attended at last years re:Invent discussing the details. There's a YouTube vid of the session, but I can't find it at the moment. – EEAA Jun 23 '14 at 03:15
  • @matt - here it is. It's worth a watch if you can spare the time. http://youtu.be/Zd5hsL-JNY4 – EEAA Jun 23 '14 at 03:17
  • Thanks EEAA. That's awesome! watching now... yeah forgot about 4K VLAN limit. – hookenz Jun 23 '14 at 04:14

In a typical setup with a datacenter provided switch, all your servers plus (maybe) their router will be on your private VLAN. If this is the case you should be ok. All of the datacenter's switches can see the traffic, but their other customers can't. Many setups provide a private LAN as well as an internet connection. Make sure you are transfering on the private connection.

It sounds like there are other servers on your private VLAN. In that case, its not so private is it. You need things setup so only your servers are on your private LAN.

Even with that change a misconfiguration of the switch or intentional snooping on the datacenter's part could reveal your traffic. So you may still want encryption, but really if you don't trust the datacenter you have bigger problems.

  • 17,671
  • 14
  • 69
  • 101
  • As I read the question, his concern is about other servers that *are* in the private VLAN. He says "... are other servers **on that private network** that might be able to sniff ..." – David Schwartz Jun 24 '14 at 04:00
  • @davidschwartz I read it that way too...if that is his concern, these servers need their own private vlan, separate from the others. – Grant Jun 24 '14 at 04:12
  • @Grant, one concern I had with the question is virtual servers. The way some virtualization is designed, it is not ideal to use VLANs and VLANs may not be properly setup. So many virtual servers may share the same VLAN. – Devon Jun 24 '14 at 17:05
  • 1
    @Devon that's why you need to ENSURE vlans are setup properly...just as you need to ensure physical devices get plugged into the correct switch. If you can't trust the network environment, you need to use encryption, either through SSH, IPSec or some other VPN technology. If this is really sensitive info (credit cards, SSN's, proprietary company secrets, etc) use encryption even if you DO trust the network. And use full disk encryption as well - anyone with physical access to the machines it's stored on can see your data. – Grant Jun 24 '14 at 17:14

Basically not. It is possible through using

  • ARP Spoofing attack (when hacked server tells switch "I am Server2's ip")
  • Sniffing on a switch (it may be hacked or configured with Port Mirroring (when traffic from Server1 to Server2 mirrors to Server3)
  • If they are not in the same network segment, sniffing is possible on gateway

Just use SSL with predefined private keys from each side and it will be OK

  • 323
  • 3
  • 13

If there are other servers in your layer 2 vlan, they can intercept traffic by arp spoofing. However, a private vlan usually means only your devices are on it. In that case, there's no way (barring misconfiguration or malice on the side of the provider) that another server could get your traffic.

Now, as for whether or not it's safe to transfer unencrypted data: it depends. If this vlan is provided to you by a third party, you don't know what they're doing with the frames you send. They could have a port mirror set-up and have every frame you send mirrored somewhere else. They could just be using sFlow or netFlow and have some amount of frames be sent to another box to keep statistics. Since you're not the one providing the network, you can't know for sure. So if your data is sensitive and you want to be safe, encrypt.

By the way, I find that modern servers have no trouble at all saturating a GigE link using SSH.

  • 56
  • 1