Firewall Wizards mailing list archives

Re: What's the deal with SSH? (was: PIX software release 5.2)

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Sun, 1 Oct 2000 11:40:54 -0400

On Tue, Sep 26, 2000 at 01:54:55PM -0400, John Adams wrote:

On Mon, 25 Sep 2000 sean.kelly () lanston com wrote:

As other people have noted, don't mistake switching for some sort of network
security panacea.  And you should certainly be concerned if you're using
telnet to connect to locations you'd prefer be kept off-limits.  All it
takes to grab a username/password is have a box in a position to pick up
traffic with its ethernet card set in promiscuous mode.

Although I'm not putting 100% faith in the security of switched networks,
if my switch has not been compromised, and no SPAN ports are available,
how is it possible to pull packets off the network? I can think of some
ways to do it by forging ISL or trunk protocols, but nothing that can be
easily accomplished by an attacker from the outside in.


        It's called arp cache poisoning.  You just convince the target
boxes that you are the other MAC access for those IP addresses.  You
can then forward the packets after sniffing.  This can be done with
gratuatous arp reply packets targeted specifically at the chump^H^H^H^H^H
victim systems.

        Reliable?       No.     Doesn't have to be.
        Easy?           No.     Doesn't have to be.
        Available?      Yes...  Unfortunately.

        Time and probability any you'll snag something.

This is more of a "how can it be compromised" question than a "I'm going
to do this tomorrow" configuration issue.

-j

--
J. Adams                                      http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: What's the deal with SSH? (was: PIX software release 5.2) John Adams (Oct 01)
- Re: What's the deal with SSH? (was: PIX software release 5.2) Luca Berra (Oct 01)
- Re: What's the deal with SSH? (was: PIX software release 5.2) Michael H. Warfield (Oct 01)
  - RE: What's the deal with SSH? (was: PIX software release 5.2) Barry Dykes (Oct 03)