>> If I may barge in on this, as far as I know a layer three switch only has an >> IP-stack for management purposes. The actual switching is done in hardware. >I'm not discussing the implications of subverting IP-switching. I am >mentioning that there may be security implications (beyond denial of >service) associated with the fact that I can fault the software running on >the switch platform by sending the switch certain packets. Okay, understood. Risks I could think of: o A DoS could blow up the management-interface (maybe even requiring a reboot). Since the switching-process runs indepently, chances that a software-crash would have implications for the switching process would be slim but not unthinkable. o Possibility of someone finding a way to work around MAC/VLAN/IP-address-restrictions and have access to the management interface. o Allowing SNMP-management to the switch (e.g. SNMP v1), with IP-based (thus weak) access-control. This could be prevented by setting up VLAN's with port-restrictions. o ? -- Rodney van den Oever / 066 166 - 0318 623047 / PGP Key ID 0x0A6CCE53 'Always go to other people's funerals, otherwise they won't come to yours.' - Yogi Berra > > >--------------------------------------------------------------------------- -- >Thomas H. Ptacek Secure Networks, Inc. >--------------------------------------------------------------------------- -- >http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:40 PDT