One other point that may be relevant here is that many groups do not pay as much attention to the security of switches as they do to the security of either their hosts or their systems. Since the continuous curve of features and price is still on the downward swing, many lower-end switches now have the ability to replicate traffic from one port to another. It is fairly trivial to watch what you are doing on all of your ports if you can get to this. You might even be able to use some of the debug features of your switch to help you to log the packets that you are replicating. -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private] On Behalf Of Bernhard Schneck Sent: Wednesday, April 22, 1998 3:32 PM To: Vinci Chou Cc: firewall-wizardsat_private Subject: Re: Q on external router In message <Pine.SUN.3.95.980422171232.27846D-100000at_private> you writ e: > After posting my question, I searched the archive at nfr.net and the > argument by "Adam Shostack" against a switch in the DMZ was not that it > cannot prevent sniffing but rather, it may not stand malicious attack. > However, he did not quote any concrete evidence or example because these > are relatively new. Switches have finite storage for ARP entries (usually some power of 2, say 4096 or 8192). Flood them with enough (bogus) ARPs and most of them will start passing all packets. POOF. \Bernhard.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:43 PDT