Date: Thu, 18 Jan 2007 22:35:59 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Andrew Pantyukhin" <infofarmer@freebsd.org> Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, questions@freebsd.org Subject: Re: Transport Mode IPSEC Message-ID: <00f901c73b94$15ef9590$3c01a8c0@coolf89ea26645> References: <20070118022306.Q26349@prime.gushi.org><005701c73ad3$1e433560$3c01a8c0@coolf89ea26645><cb5206420701180025t33de5399q11a8b96f6322a964@mail.gmail.com><00c601c73ae4$85eec240$3c01a8c0@coolf89ea26645> <cb5206420701180207x27ebea97s1259a8b321ec17eb@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Andrew Pantyukhin" <infofarmer@freebsd.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>; <questions@freebsd.org> Sent: Thursday, January 18, 2007 2:07 AM Subject: Re: Transport Mode IPSEC > On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote: > > > > ----- Original Message ----- > > From: "Andrew Pantyukhin" <infofarmer@freebsd.org> > > To: "Ted Mittelstaedt" <tedm@toybox.placo.com> > > Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>; > > <questions@freebsd.org> > > Sent: Thursday, January 18, 2007 12:25 AM > > Subject: Re: Transport Mode IPSEC > > > > > > > On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote: > > > > Dan, > > > > > > > > You do realize, don't you, that since both of these hosts are on a > > switch, > > > > and are using unicast traffic to communicate with each other, that they > > > > cannot be sniffed, don't you? > > > > > > > > You might read up on ethernet switching technology a bit before > > > > answering that. > > > > > > I'm sorry to be the one to make this remark but it's > > > you who needs to read a bit to learn (a) how to sniff > > > traffic off most Ethernet switches from D-Link to > > > Cisco; (b) what other security risks unprotected NFSv3 > > > shares pose. > > > > Yeah, sure I've heard that one before. > > > > Why don't you go ahead and elaborate one of your favorite > > theoretical attacks out of one of those books that "proves" > > that an attacker can "sniff most switches" so I can have the > > fun of knocking it down by real-world hardware implementations > > that you can actually buy and use right now. > > > > Don't be a fool. Ethernet switch manufacturers aren't stupid and > > have read the same stuff your citing. They combat them 2 ways. > > The first is used on the expensive switches and it's called filtering > > and allows switch manufacturer salespeople to have something to > > dog and pony. The second is used on the cheapo switches and > > it's called using a wussy CPU on the switch so that the second > > you try attacking the switch with one of your fancy attacks to > > sniff it, the switch just rolls over and dies, passing so few packets > > that every connection through it looses tremendous numbers of > > packets, and hell breaks loose as all users start screaming. > > > > been there, done that. Those work just dandy in the lab and > > in your CCIE class with 3 hosts setup for the purpose of > > demonstrating the attacks. But try it on a production network some > > day and the side-effects will kill you. > > Okay, I'm sorry to have sounded a bit rough before > I even parsed your name :-) You don't need to throw > bits of your knowledge at unsuspecting bystanders, > too. ;) > OK, truce then. :-) > Most attacks I can imagine, I read/heard about or > seen in the worst of my nightmares - I wouldn't be > able to reproduce or describe in detail. Actually they sound a lot more interesting than they are in practice. There are two general ethernet attacks out there. The first is a MAC-based, you impersonate someone's MAC and IP address (preferably a machine that happens to be switched off at the moment) to get some sort of elevated privilege on a server somewhere, or you do it while the other machine is online, in order to take it offline, or do it to the gateway in order to disrupt internet access, (usually) Quite a lot of fun things can be done with MAC and IP spoofing, and there was a lot of this in early university campus dorm networks when they were first setup. Schools screamed about it and switch vendors responded with intelligent switches that blurred the distinction between layer 1, 2 and 3 and the rule of thumb nowadays is to deploy those in networks where you have potential attackers. The best switches can notify the admin when someone is pulling one of these stunts and the admin can program in advance port lockdowns and such, so that the wanna-be college freshman that thinks he's smart gets a visit from campus security when he pulls this kind of thing. The second are in the high-speed rate family. You send out a lot of itty-bitty packets at a high rate of speed. One trick is to vary the MAC address on each packet so you overflow the switch internal mac tables and cause the switch to basically become a big hub - when that happens you run your sniffer and try to steal passwords, etc. Once more, the aforementiond intelligent switches are the way to deal with this. Both of these attacks depend on the attacker being on the local LAN, or a machine he has compromised being on the local LAN. It is, of course, true that there's a lot of cheap switches on the market and there are corporations that deploy them. However your dealing with an environment here where if an attacker gains control of a machine on the inside, he can get far more useful data from inserting a keystroke logger into the compromised operating system than bothering with running LAN attacks. Or, the attacker can try a high speed password cracker. You would not believe how insecure most corporate networks are. As an example a few months ago a customer of ours had me run crack on an internal mailserver. Out of the approximately 250 users, 100 of them had their passwords guessed by crack within about 5 minutes, and 200 of them within 3 days. The customer raised hell internally as you might expect. 2 weeks later I ran crack again and only half of the users had changed to more secure passwords. > My friend > has a motto, which I happen to agree with: there's > a good enough attacker for any kind of security > measures, our job is to make his job as tough as > possible. > Most attackers out there are relatively benign, all they are looking for is resources. They want disk space for their pirated movies and music, or network and cpu resources to allow them to spam or attack other systems. The last thing they want is to damage their victim or cause trouble with it that would attract an administrators attention. I can count the ones I've ran acrosss that have damaged systems on the fingers of one hand, and most of those damaged systems by accident, not by intent. And the real truth is that there is such a plethora of unpatched or otherwise easy-to-compromise systems out there, that those good enough attackers don't bother wasting time when they run across a tight system, they just move on to the next one. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f901c73b94$15ef9590$3c01a8c0>