Re: ARP Spoof Question

[Martin Brecher <listuser () mb-itconsulting com>]

The Fueley wrote:
> How would that apply to a layer 3 switch/router? Actually the packaging says
> that I have a Residential Gateway/Router/Firewall. Aren't gateways layer 7
> devices? While switches are layer 2 devices, they deal with MAC addresses
> right? Maybe a "smart" switch knows which MAC addresses are allowed on the
> network? Or am I missing it all here?

Most modern managed switches allow you to limit the number of MAC 
addresses the switch learns on each port. This way you can assign a 
specific NIC to a sepcific switch port, as well as disallow any unwanted 
traffic.

Cabletron (now Enterasys) had a nice technique known as 
SecureFastSwitching (which is nowadays partially resembled by the VLAN, 
Link Aggregation and STP standards), which made some decent VLANing 
possible.

For example:
VLAN #1 with all  corporate-public servers and VLAN #2 with all the 
confidential servers.
When a new station gets deployed it gets added to VLAN #1 by the IT staff.
All unknown stations are completely kept of the network.
Only people with a higher clearance level (i.e. the managers who need 
access to the confidential finance server) get added to VLAN#2.
Other ideas are to keep the switches own network-accessible management 
ports in another VLAN only accessible by the IT staff. And another VLAN 
for the Quake servers, of course :-)

Greetings,
Martin
--
"History has shown us, that strength may be useless,
when faced with terrorism." -- Jean-Luc Picard
PGP/GPG key at http://www.stupid-design.com/martin/publickey.asc


---------------------------------------------------------------------------
----------------------------------------------------------------------------