Frank Knobbe wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Isn't this something that can be avoided with static ARP entries for
> DMZ devices?
If you can set up static tree entries in the switch: yes.
Otherwise, you'd still be able to get the switch to pass data
to the sniffing device. Although here you wouldn't be relying
on ARP spoofing but rather spamming the switch to get it to
send a large percentage of packets your way. (Fooling the switch
into believing that the hardware address in question is actually
connected to the port where the sniffing machine is). Talking
specifics, "Dsniff" doesn't do this as far as I know.
> Also, if an attacker would use ARP redirect packets,
> wouldn't he break the communication with the intended devices and
> thus create an event that can be detected?
No, not if he passed the packets on to the original destination,
which Dug's little package _does_ do for you :)
(And all of this is why I really like the idea of multi-legged
firewalls with one server per interface. Yum.)
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
