At 21:31 22/04/98 +0200, Bernhard Schneck wrote: >In message <Pine.SUN.3.95.980422171232.27846D-100000at_private> you writ >e: > > After posting my question, I searched the archive at nfr.net and the > > argument by "Adam Shostack" against a switch in the DMZ was not that it > > cannot prevent sniffing but rather, it may not stand malicious attack. > > However, he did not quote any concrete evidence or example because these > > are relatively new. > >Switches have finite storage for ARP entries (usually some power of >2, say 4096 or 8192). Flood them with enough (bogus) ARPs and most >of them will start passing all packets. Right, two additional comments: - it is not ARP (ARP is for translating IP addresses into MAC addresses), it is a CAM table - if you are using static MAC to port table, then you can still flood the MAC table but the static mapping will be kept anyway (defeating your attack) Thus, in my opinion (but have a look at my email address to see that I could be biased ;-) ), the switch can increase the DMZ security if: - it uses static mapping - as you put part of your security in the switch configuration, you must obviously secure your switch config (OTP, ACL, management via console only, ...) Just my 0,01 EUR -eric > >POOF. > >\Bernhard. > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evynckeat_private Mobile: +32-75-312.458
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:31 PDT