1998-04-23-01:13:28 Vinci Chou: > After posting my question, I searched the archive at nfr.net and the > argument by "Adam Shostack" against a switch in the DMZ was not that it > cannot prevent sniffing but rather, it may not stand malicious attack. If you use a switch in a DMZ setting, use it as a super-high-performance hub, not as a security device. > However, he did not quote any concrete evidence or example because these > are relatively new. I won't quote concrete evidence or example either. However, I don't regard the question as open and unsettled:-). Switches aren't designed as security barriers, they're designed as high-performance hubs. Take a sniffer to a switched network; you'll see occasional packets you wouldn't expect to. Partly this comes from the way they work: they learn the network config by examining packets as they sail past, and they flood everything out like a hub until they learn each destination's whereabouts. Furthermore they'll have a finite amount of storage for caching the CAM table and will have some kind of space management strategy. And that's all just in the normal operation of the switch, not talking about its support for explicitly _enabling_ sniffing, which may or may not be adequately secured. Now if you occasionally see packets you don't need to, this doesn't significantly hurt performance, and so it's not a defect in the switch, at delivering its service as a high speed hub. But if you are trying to use it as a security device, this is really nasty. Not only does it mean there's a reduced-but-nonzero possibility of an intruder being able to passively pick up goodies, it makes it seem very likely that a suitably determined attacker could find a way to coerce a given switch into passing him a packet that he shouldn't otherwise get, on demand. What would happen, for example, if you generated a non-stop stream of whatever packet the switch ``learns'' MAC addresses from (arp reply?) as fast as your system can emit them, for e.g. incrementing MAC addresses, addressed to your own MAC address, and simultaneously listen on another port for these nastygrams. Perhaps you'd be able to empty the CAM table in a fraction of a second, at which point it'll forget that _your_ MAC address is on your port, and commence beaming everything everywhere; if you see one of your nastigrams on another port you know you've blown its brain and you (temporarily) shut down your assault, listen to the nattering of everyone until it quiets down, then re-blow its brain. This might go unnoticed unless someone was in the machine room and saw the CPU load doing a conga with a back-beat. I don't know. I _do_ know that routers are designed to control traffic, and so are bastion hosts, whereas switches are not; it seems like a sound principle to use them that way. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:27 PDT