Re: Q on external router

From: Bennett Todd (betat_private)
Date: Wed Apr 22 1998 - 10:49:54 PDT

  • Next message: Gary Crumrine: "RE: Top-down vs. bottom up (IDS) management"

    1998-04-23-01:13:28 Vinci Chou:
    > After posting my question, I searched the archive at nfr.net and the
    > argument by "Adam Shostack" against a switch in the DMZ was not that it
    > cannot prevent sniffing but rather, it may not stand malicious attack.
    
    If you use a switch in a DMZ setting, use it as a super-high-performance
    hub, not as a security device.
    
    > However, he did not quote any concrete evidence or example because these
    > are relatively new.
    
    I won't quote concrete evidence or example either. However, I don't
    regard the question as open and unsettled:-).
    
    Switches aren't designed as security barriers, they're designed as
    high-performance hubs. Take a sniffer to a switched network; you'll see
    occasional packets you wouldn't expect to. Partly this comes from the
    way they work: they learn the network config by examining packets as
    they sail past, and they flood everything out like a hub until they
    learn each destination's whereabouts. Furthermore they'll have a finite
    amount of storage for caching the CAM table and will have some kind of
    space management strategy. And that's all just in the normal operation
    of the switch, not talking about its support for explicitly _enabling_
    sniffing, which may or may not be adequately secured.
    
    Now if you occasionally see packets you don't need to, this doesn't
    significantly hurt performance, and so it's not a defect in the switch,
    at delivering its service as a high speed hub. But if you are trying to
    use it as a security device, this is really nasty. Not only does it mean
    there's a reduced-but-nonzero possibility of an intruder being able to
    passively pick up goodies, it makes it seem very likely that a suitably
    determined attacker could find a way to coerce a given switch into
    passing him a packet that he shouldn't otherwise get, on demand. What
    would happen, for example, if you generated a non-stop stream of
    whatever packet the switch ``learns'' MAC addresses from (arp reply?) as
    fast as your system can emit them, for e.g. incrementing MAC addresses,
    addressed to your own MAC address, and simultaneously listen on another
    port for these nastygrams. Perhaps you'd be able to empty the CAM table
    in a fraction of a second, at which point it'll forget that _your_ MAC
    address is on your port, and commence beaming everything everywhere; if
    you see one of your nastigrams on another port you know you've blown its
    brain and you (temporarily) shut down your assault, listen to the
    nattering of everyone until it quiets down, then re-blow its brain. This
    might go unnoticed unless someone was in the machine room and saw the
    CPU load doing a conga with a back-beat.
    
    I don't know. I _do_ know that routers are designed to control traffic,
    and so are bastion hosts, whereas switches are not; it seems like a
    sound principle to use them that way.
    
    -Bennett
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:27 PDT