Re: Q on external router

[Eric Vyncke <evyncke () cisco com>]

At 21:31 22/04/98 +0200, Bernhard Schneck wrote:
> In message <Pine.SUN.3.95.980422171232.27846D-100000 () is3 hk super net> you
writ
> e:
> > After posting my question, I searched the archive at nfr.net and the
> > argument by "Adam Shostack" against a switch in the DMZ was not that it
> > cannot prevent sniffing but rather, it may not stand malicious attack.
> > However, he did not quote any concrete evidence or example because these
> > are relatively new.
>
> Switches have finite storage for ARP entries (usually some power of
> 2, say 4096 or 8192).  Flood them with enough (bogus) ARPs and most
> of them will start passing all packets.

Right, two additional comments:
- it is not ARP (ARP is for translating IP addresses into MAC addresses), it
  is a CAM table
- if you are using static MAC to port table, then you can still flood the
  MAC table but the static mapping will be kept anyway (defeating your
  attack)

Thus, in my opinion (but have a look at my email address to see
that I could be biased ;-) ), the switch can increase the DMZ security
if:
- it uses static mapping
- as you put part of your security in the switch configuration, you
  must obviously secure your switch config (OTP, ACL, management via
  console only, ...)

Just my 0,01 EUR

-eric

> POOF.
>
> \Bernhard.

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458