Firewall Wizards mailing list archives
RE: What's the deal with SSH? (was: PIX software release 5.2)
From: Bill_Royds () pch gc ca
Date: Sun, 1 Oct 2000 10:28:27 -0400
The trick is something called "gratutitous ARP". Basically, if one can get access to the IP layer of a segment, one can broadcast an ARP with the IP of victim but my MAC address and pull in the traffic. Many TCP/IP stacks will update their ARP cache if they get an ARP broadcast with a new MAC address tied to to the same IP address. It is not guaranteed to work but can sure cause problems with a Telnet session. John Adams <jna () retina net> on 09/26/2000 13:54:55 To: sean.kelly () lanston com cc: shewitt () cdw com, firewall-wizards () nfr net(bcc: Bill Royds/HullOttawa/PCH/CA) Subject: RE: [fw-wiz] What's the deal with SSH? (was: PIX software release 5.2) On Mon, 25 Sep 2000 sean.kelly () lanston com wrote:
As other people have noted, don't mistake switching for some sort of network security panacea. And you should certainly be concerned if you're using telnet to connect to locations you'd prefer be kept off-limits. All it takes to grab a username/password is have a box in a position to pick up traffic with its ethernet card set in promiscuous mode.
Although I'm not putting 100% faith in the security of switched networks, if my switch has not been compromised, and no SPAN ports are available, how is it possible to pull packets off the network? I can think of some ways to do it by forging ISL or trunk protocols, but nothing that can be easily accomplished by an attacker from the outside in. This is more of a "how can it be compromised" question than a "I'm going to do this tomorrow" configuration issue. -j _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: What's the deal with SSH? (was: PIX software release 5.2) Bill_Royds (Oct 01)