On Fri, 12 Apr 2002, Gary Flynn wrote: > I'm certainly not going to argue with you about other means of > segmentation being more secure but > I'm wondering what the actual risk level is. The only vulnerability > report I've seen requires the > following conditions: > [snip] > > Are you aware of any other vulnerabilities or exploits?
The ability to DoS the internal network if you can make the switch too busy is the most obvious one- and that can be pretty easy in some scenerios. There've been rumbles of very interesting taged queueing issues (802.1q) for ~4 years now, I highly doubt the DoS attacks Cisco fixed are the end of that train. I wouldn't put money on either spanning tree or Cisco Discovery Protocol not having a problem or two even this late in the game (heck SNMP has been around for ever and the last round of stuff *only* looked at V1 of the protocol.) I'm not sure how the "fill up the CAM table" thing works these days, but I doubt that the default "broadcast on every port" logic is completely ripped out of the switch code for each set of things that would ever trigger it. The most important thing though is that a single configuration change completly and utterly destroys your security posture. Think about the last few worms which have gotten to internal networks, add a switch component to the mix and think about how "safe" that architecture is (disallowing remote access to a DMZ-only switch is pretty easy, internal switches all tend to have IP addresses and SNMP on these days.) One bug, one mistake, one malicious act - mix it with one single point of failure, and everything's exposed. Hell, a dumb switch for the DMZ is a *trivial* ammount of money these days. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
