Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: What's the deal with SSH? (was: PIX software release 5.2)

From: "Barry Dykes" <barry () onesec net>
Date: Mon, 2 Oct 2000 15:24:39 -0500
        To be more specific, an Ethernet switch learns it's forwarding tree based on
the source MAC address of incoming packets.  A switch will also use the last
learned location of a MAC address.  In other words, if you know the MAC of the
machine that you wish to receive traffic for, you just send an Ethernet frame
anywhere with that same MAC address as the source address.  The switch will then
forward all traffic destined to that MAC out to the new port (you).
        Also, according to the RFC (826 I think), all hosts must update their ARP
caches with the last known ARP update.  This means that simply sending an ARP
packet out with the same IP address and different MAC should make the router
(layer 3) device then send traffic to the new MAC address as well as all other
hosts who heard the ARP broadcast!  Some boxes don't conform to the RFC - but
they are supposed to.
        So, there are two simple methods to get traffic in an Ethernet environment at
the least.  Never trust a protocol that was based broadcast discovery ;-)

Barry


-----Original Message-----
From: firewall-wizards-admin () nfr net
[mailto:firewall-wizards-admin () nfr net]On Behalf Of Michael H. Warfield
Sent: Sunday, October 01, 2000 10:41 AM
To: John Adams
Cc: sean.kelly () lanston com; shewitt () cdw com; firewall-wizards () nfr net
Subject: Re: [fw-wiz] What's the deal with SSH? (was: PIX software
release 5.2)


On Tue, Sep 26, 2000 at 01:54:55PM -0400, John Adams wrote:

On Mon, 25 Sep 2000 sean.kelly () lanston com wrote:



As other people have noted, don't mistake switching for some sort

of network

security panacea.  And you should certainly be concerned if you're using
telnet to connect to locations you'd prefer be kept off-limits.  All it
takes to grab a username/password is have a box in a position to pick up
traffic with its ethernet card set in promiscuous mode.



Although I'm not putting 100% faith in the security of switched networks,
if my switch has not been compromised, and no SPAN ports are available,
how is it possible to pull packets off the network? I can think of some
ways to do it by forging ISL or trunk protocols, but nothing that can be
easily accomplished by an attacker from the outside in.


      It's called arp cache poisoning.  You just convince the target
boxes that you are the other MAC access for those IP addresses.  You
can then forward the packets after sniffing.  This can be done with
gratuatous arp reply packets targeted specifically at the chump^H^H^H^H^H
victim systems.

      Reliable?       No.     Doesn't have to be.
      Easy?           No.     Doesn't have to be.
      Available?      Yes...  Unfortunately.

      Time and probability any you'll snag something.


This is more of a "how can it be compromised" question than a "I'm going
to do this tomorrow" configuration issue.



-j




--
J. Adams                                    http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.


      Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

---------------------------------------------------------------------
To unsubscribe, e-mail: firewall-wizards-unsubscribe () onesec net
For additional commands, e-mail: firewall-wizards-help () onesec net





_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: