From owner-freebsd-security Fri Aug 20 13:15:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id BBF6D14C12 for ; Fri, 20 Aug 1999 13:15:20 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug ([198.82.107.38]) by tasam.com (8.9.3/8.9.3) with SMTP id QAA79876; Fri, 20 Aug 1999 16:14:42 -0400 (EDT) (envelope-from freebsd.list@bug.tasam.com) Message-ID: <000b01beeb48$84609f50$0286860a@tasam.com> From: "Joe Gleason" To: "Joel Maslak" , References: Subject: Re: Switches & Security Date: Fri, 20 Aug 1999 16:13:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One solution for method 1 is to use static arp assingments in the router, and in both boxes. > > To compromize a network consisting of a switched backbone... > > Let's say there are two machines, A and B. Let's say there is a router, > R. > > So: > > Internet ---- R ----+ > | > A -- SWITCH -- B > > Let's say B got compromised. > > What B has to do is send ARP broadcasts out, claiming that it is actually > R. Now, it knows R's REAL ethernet address. > > If R is busy and doesn't notice this (can be done a lot of ways), A may > change it's ARP table. If R notices, it may log this problem, or even > stop working. > > Thus, to send packets to the Internet, A ends up sending them to B's > ethernet address (B thinks that is the ethernet address of R). B resends > them (after logging them) to R's real ethernet address. > > --- That was method 1. --- > > There are MANY ways to invalidate the ARP cache of a switch. Some > crash the switch. > > VLANs do *NOT* always protect you, either! VLANs, technically, are just > broadcast domain seperations and nothing more. Some switches prevent any > packet from crossing VLAN boundaries. A lot of others, though, just > prevent broadcast packets from crossing those boundaries. Thus, two > machines can communicate through the VLAN boundary if they know each > other's ethernet address. > > Sending out forged packets with the source ethernet address of another > VLAN is a sure way to confuse most switches, BTW. > > > Joel Maslak > UPDATE Systems Inc. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message