Jeff Younker wrote:
>
> 1) If on A then inject packets with B's IP address, or an
> IP address on B's subnet. You may be able to get the
> switch to add A's port to B's VLAN. From there you
> may be able to ascertain B's mac address via broadcast
> traffic.
One would assume the subinterfaces on the router would have
antispoof filters in place to prevent the first part of this.
The switch would have dedicated ports for each VLAN. The router
would prevent B's broadcast traffic from being seen on A's
segement.
> 2) If on A then forge frames with B's mac address (which
> you may have obtained above). You may be able to get
> the switch to think that packets for B should be sent
> to both A's port and B's port.
Proper switch setup should prevent this and the following two.
> 3) If on A then forge frames that look like they come
> from a switch belonging to B's VLAN.
>
> 4) If on A then forge frames to convice the switch that
> you're a bridge connected to B. (Gotta love that layer
> 2 routing.
Disable spanning tree.
> 5) If on A then try overflowing the IP-Mac tables of the
> switch while also pumping out packets with B's
> IP address and A's mac address. You may succeed in
> convincing the switch that A is in fact B when it
> finally dumps the entry for B.
A proper functioning switch with port based VLANS *should*
make sure an address table overflow only affects the VLAN
its on. A switch with port based VLANs should act like
two physically different switches with separate address
tables. Somebody should test this :)
> I'm quite certain that I've just begun to scratch the surface
> of the kinds of misdirection that you can pull with a switch.
> While it may be possible to lock down the ports to a given
> VLAN (in theory) I'm reasonably certain that it would be simpler
> to use a small router in place of the switch, and I'm sure that
> it be easier to get the correct behavior from the router.
No argument there. Either that or add an interface to the existing
router and run two links to the two servers' subnets.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
