Re: Cain and Abel

["J. Oquendo" <sil () infiltrated net>]

On Thu, 3 Feb 2005, Paul Melson wrote:

> A more manageable defense against ARP poisoning attacks is to configure your
> switches to prevent against MAC address spoofing.  Cisco switches, for
> example, can statically map the MAC address of the interface connected to a
> given port (good for servers), as well as limit the number of MAC addresses
> that can appear on a given port (good for workstations, conference rooms,
> hotel rooms, etc.).

802.1q and Cisco PVLAN's will suffice by segmentation to minimize the
effects of programs like Cain and Abel. However, most people forget that
at the core level any product be it a switch (layer 2 or 3) or router will
still have to listen for broadcasts in order to get MAC information to
delegate traffic. If someone just wanted to sit there and DoS your ARP
tables to oblivion it wouldn't be hard. VLAN tagging has its insecurities
as well. You could likely just roast someone's connection if you're on
their segment as well via spoofing however you're limited to that segment.

http://infiltrated.net/cisco/pvlans.html
http://infiltrated.net/cisco/vlan-insecurities.html
http://infiltrated.net/cisco/vlan-tagging-101.html
http://infiltrated.net/cisco/vla-tagging.pdf

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x0D99C05C
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C

sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html