Re: [PEN-TEST] Datacenter Wiring

[Aj Effin ReznoR <aj () REZNOR COM>]

> If you start with the assumption that physical access is
> secure, you can suggest evaluating the vmps feature of
> Cisco's IOS.  Simply, vmps manages a database of mac addresses
> and can shut down a switch port if an unrecognized device
> is connected.  A switched network with vmps implemented
> reduces the risk of sniffing and network connectivity
> if an intruder gains physical access.
>
> -dan

The simple way around this is to disable the TX wirepair in the input to the
snooping machine (all these phantom taps need to go *somewhere*).  As was
pointed out, some NICs require a link signal to functional properly, or
entirely.  I was unaware that Marcus Ranum had allegedly suggested using a
diode in one of the wires instead of snipping, as this may not work in all
scenarios, and also violates his anti-full disclosure concept by proposing
such a criminal concept to the masses ;)  Of course, if one were hellbent on a
getting a sniffing machine inside a datacenter (serious corporate espionage
may well budget for renting rack/cage space in a datacenter), a small amount
of time spent evaluating NICs would be a minor investment to the "success" of
a crim's "project".

That said, if a machine is to be used in a situation wherein the wiring can't
be modified (the endjack can't be replace with TX wires disabled because the
inhouse wiring is exposed and can't be modified, etc) it's not hard at all
with a quality Weller soldering station (retail under US$120) to either
disable the TX pins internal to the card, or if need be, use a remove the pins
then use a diode to bridge the TX points onboard the NIC itself.

Cisco's solution does the best it can, but it can't do everything, and relying
on it for a 'comfort zone' is a false sense of, well, you know.....

-aj.