Chris Brenton wrote:
>
>
> Humm. Just out of curiosity, if the switch is on a screened subnet, how
> do you spoof MAC addresses though it? Or are you assuming that one of
> the connected systems has been compromised and has all the tools
> required to perform the attack?
>
Yes. This assumption is implied in the original question. The scenario is that a
penetrated web server is used to sniff email traffic passing through an email server
in the same DMZ.
>
> So worst case you are in the same boat as if you had purchased a hub in
> the first place?
>
Yes. My point was that, while switches are safer than hubs, they are not very much
safer.
>
> Except now the attacker has a target IP address to go after. Given your
> above example where "flooding" may cause all packets to be forwarded, it
> would be pretty inessential to grab the SNMP community names off of the
> wire (sure SNMPv2 is encrypted, but it can still be cracked). If the
> switch allows you to set a port for monitoring, your whole subnet can be
> sniffed.
>
Provided the attacker can get control of the switch. This can be made more difficult
than a "flood" attack.
I agree that we have created a vulnerability by giving the switch an IP address and
allowing it access to our management station. Perhaps management via the serial port
is the answer. The console device would need to be permanently attached in order to
alert the administrator when that "table full" message comes up.
Jim Eckford
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
