> IEEE 802.1d isn't much use in deciding which option > is best. IEEE 802.1d is of questionable value anyway. Grep the standard for the word security. Spanning tree used maliciously is spectacularly effective when you decide to elect yourself the root of the tree. > Fixes are to activate "port security", which deactivates > a port if its MAC address changes. This limits the > DoS to one machine, which may still be worthwhile > if the machine runs an attractive service. It is > costly to administer in a large network. Your security is still totally illusionary. Treat a switch as a network accelerator thats all. Any security consultant who talks about switches as a security feature you should offer to sell a bridge too (london bridge that is). The only time the switch helps is if it has IP level filters > Networks with trees of switches will see multiple traps > as MAC addresses changes, so this option is usually > only enabled on switches at the edge. Be careful the bridge handles this right. You can trash some with trap bombs too - its often loading the on board CPU down to handle an SNMP trap and that in many bridges clobbers some of the hardware assisted performance badly. > access areas (computing labs, etc) on their own IP subnets. > These areas usually require significant IP filtering > in any case. The effect is to limit link-level DoS attacks > initiated from a public keyboard to a single physical area. Sort of. Given nodes A and B talking IP away from the public lab. Ping A, ping B. Note their mac addresses. Send A a regular stream of ARPs claiming B has moved to your address. Send B a stream of frames claiming A has moved to your address. Sit in the middle rewriting destination headers. Enjoy. You are using strong crypto on your network aren't you 8) Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:23 PDT