Hi,
On Fri, Mar 25, 2005 at 02:07:49AM +0100, Per Engelbrecht wrote:
So fare I've done all my "tapping" on the backbone's SPAN port.
I do have SPAN ports on all the customer switches as well, but don't use them right now - I'm building an NDIS master with sensors (hardware clients) going into these ports .. all the way down. It's not production ready yet, though.
Another approach (which is strongly recommended) would be to apply full layer 3 separation. Each customer gets a *routed* layer 3 VLAN, and all IPs in there belong to him.
Hi gert
I like the idea and I've thought of that before. The biggest problem is the max number of VLAN per switch which is 30 and the number of interfaces which is 48 (+2 Gbit for SPAN and uplink)
Another issue is that customers, mostly business, buy N+* servers which is scattered all over the setup. This could be dealt with by using dynamic VLAN, but still leaves the 30:48 problem. If I had 48:48 I would be a happy camper.
So even if the trojan "spoofs" addresses, it's still easy to backtrack, because all the /29 or /28 or whatever subnet is the same customer anyway -
and with proper anti-spoofing filtering, no other source IPs can get
out of the VLAN.
Besides the above, I had my doubt about going the 'port-security' [802.11 / qos] way or the 'mac-lockdown' [static-mac] way a while back. These features can not co-exist on the switches.
A while back I experienced a lot of arp-spoofing/arp-cache-poisoning attempts and took the 'mac-lockdown' approach. It was fast, clean and effective, but lack anything else. It was a choice at that time.
But that's getting off-topic on tcpdump-workers. A better list for that might be cisco-nsp (see http://puck.nether.net/ for a number of very interesting networker lists).
Hmm nice, did'nt know that site - thank you gert!
respectfully /per [EMAIL PROTECTED]
gert
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
