From owner-freebsd-security  Fri Aug 20 13: 6:43 1999
Delivered-To: freebsd-security@freebsd.org
Received: from unix.updatesystems.com (troy-mesa.updatesystems.com [209.38.186.65])
	by hub.freebsd.org (Postfix) with ESMTP id 5F64B15AC3
	for <freebsd-security@freebsd.org>; Fri, 20 Aug 1999 13:06:34 -0700 (PDT)
	(envelope-from jmaslak@updatesystems.com)
Received: from localhost (jmaslak@localhost)
	by unix.updatesystems.com (8.9.3/8.9.3) with ESMTP id OAA01854
	for <freebsd-security@freebsd.org>; Fri, 20 Aug 1999 14:06:02 -0600
Date: Fri, 20 Aug 1999 14:06:02 -0600 (MDT)
From: Joel Maslak <jmaslak@updatesystems.com>
To: freebsd-security@freebsd.org
Subject: Switches & Security
Message-ID: <Pine.LNX.4.10.9908201358560.1547-100000@unix.updatesystems.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


To compromize a network consisting of a switched backbone...

Let's say there are two machines, A and B.  Let's say there is a router,
R.

So:

Internet ---- R ----+
                    |
            A -- SWITCH -- B

Let's say B got compromised.

What B has to do is send ARP broadcasts out, claiming that it is actually
R.  Now, it knows R's REAL ethernet address.

If R is busy and doesn't notice this (can be done a lot of ways), A may
change it's ARP table.  If R notices, it may log this problem, or even
stop working.

Thus, to send packets to the Internet, A ends up sending them to B's
ethernet address (B thinks that is the ethernet address of R).  B resends
them (after logging them) to R's real ethernet address.

--- That was method 1. ---

There are MANY ways to invalidate the ARP cache of a switch.  Some
crash the switch.

VLANs do *NOT* always protect you, either!  VLANs, technically, are just
broadcast domain seperations and nothing more.  Some switches prevent any
packet from crossing VLAN boundaries.  A lot of others, though, just
prevent broadcast packets from crossing those boundaries.  Thus, two
machines can communicate through the VLAN boundary if they know each
other's ethernet address.

Sending out forged packets with the source ethernet address of another
VLAN is a sure way to confuse most switches, BTW.


Joel Maslak
UPDATE Systems Inc.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message