Date: Thu, 18 Jan 2007 13:07:14 +0300 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, questions@freebsd.org Subject: Re: Transport Mode IPSEC Message-ID: <cb5206420701180207x27ebea97s1259a8b321ec17eb@mail.gmail.com> In-Reply-To: <00c601c73ae4$85eec240$3c01a8c0@coolf89ea26645> References: <20070118022306.Q26349@prime.gushi.org> <005701c73ad3$1e433560$3c01a8c0@coolf89ea26645> <cb5206420701180025t33de5399q11a8b96f6322a964@mail.gmail.com> <00c601c73ae4$85eec240$3c01a8c0@coolf89ea26645>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote: > > ----- Original Message ----- > From: "Andrew Pantyukhin" <infofarmer@freebsd.org> > To: "Ted Mittelstaedt" <tedm@toybox.placo.com> > Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>; > <questions@freebsd.org> > Sent: Thursday, January 18, 2007 12:25 AM > Subject: Re: Transport Mode IPSEC > > > > On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote: > > > Dan, > > > > > > You do realize, don't you, that since both of these hosts are on a > switch, > > > and are using unicast traffic to communicate with each other, that they > > > cannot be sniffed, don't you? > > > > > > You might read up on ethernet switching technology a bit before > > > answering that. > > > > I'm sorry to be the one to make this remark but it's > > you who needs to read a bit to learn (a) how to sniff > > traffic off most Ethernet switches from D-Link to > > Cisco; (b) what other security risks unprotected NFSv3 > > shares pose. > > Yeah, sure I've heard that one before. > > Why don't you go ahead and elaborate one of your favorite > theoretical attacks out of one of those books that "proves" > that an attacker can "sniff most switches" so I can have the > fun of knocking it down by real-world hardware implementations > that you can actually buy and use right now. > > Don't be a fool. Ethernet switch manufacturers aren't stupid and > have read the same stuff your citing. They combat them 2 ways. > The first is used on the expensive switches and it's called filtering > and allows switch manufacturer salespeople to have something to > dog and pony. The second is used on the cheapo switches and > it's called using a wussy CPU on the switch so that the second > you try attacking the switch with one of your fancy attacks to > sniff it, the switch just rolls over and dies, passing so few packets > that every connection through it looses tremendous numbers of > packets, and hell breaks loose as all users start screaming. > > been there, done that. Those work just dandy in the lab and > in your CCIE class with 3 hosts setup for the purpose of > demonstrating the attacks. But try it on a production network some > day and the side-effects will kill you. Okay, I'm sorry to have sounded a bit rough before I even parsed your name :-) You don't need to throw bits of your knowledge at unsuspecting bystanders, too. ;) Most attacks I can imagine, I read/heard about or seen in the worst of my nightmares - I wouldn't be able to reproduce or describe in detail. My friend has a motto, which I happen to agree with: there's a good enough attacker for any kind of security measures, our job is to make his job as tough as possible.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420701180207x27ebea97s1259a8b321ec17eb>