What is Ethernet emulation? It's definitely true that Ethernet is being 
used across long distances, if that's what you mean. With single mode 
fiber-optic cabling, Ethernet can span miles. Physical access is a 
different story in this case, of course. The cables may actually be in 
public places. They would be overhead on poles or underground, I guess, 
though, wouldn't they?

I think it would still be very difficult to wreak havoc. Physical access 
would be difficult, and even if you had it, network-layer hacking would be 
hard to achieve. Wishful thinking? :-]

Thanks

Priscilla

At 02:27 PM 5/9/01, Kevin Wigle wrote:
>However, Ethernet emulation is becoming quite popular and very price
>competitive.
>
>I have clients who have HSRP running on what would normally be called "WAN"
>ports but they are ethernet.  The HSRP virtual address is visible to the
>world and therefore it is vunerable.
>
>I agree that traditionally HSRP has been used on the inside interfaces so
>therefore your vunerability is from the inside where you should have
>personnel/physical security in place.
>
>IPSec is cool but involves more cost to deploy an IPSec capable IOS/router
>if you're not already using IPSec.  Perhaps this is just another reason to
>do so.
>
>Someone also commented on the overhead of IPSec encrypting/decrypting HSRP
>hellos every 3 seconds.  Perhaps adjusting the HSRP timers would alleviate
>this.
>
>But times they are a changing.  The lines between LAN and WAN are blurring.
>It seems Brian's solution for an access-list will be a stop gap measure for
>now.
>
>Kevin Wigle
>
>----- Original Message -----
>From: Priscilla Oppenheimer 
>To: 
>Sent: Tuesday, May 08, 2001 1:38 PM
>Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> > The HSRP "exploits" aren't anything new. If you have physical access to
>the
> > target LAN, the ability to sniff packets, and the ability to send
packets,
> > of course you can wreak havoc. Not only could you send bad HSRP packets
>but
> > you could respond to ARPs, send bad routing protocol packets, etc. etc.
> > etc. The only real solutions are physical security and hiring people you
> > trust!?
> >
> > Also, instead of using HSRP you could use the Virtual Router Redundancy
> > Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> > replacement for HSRP.
> > The Security Considerations section explains authentication options,
> > including using IPSec.
> >
> > Priscilla
> >
> > At 11:20 PM 5/7/01, Andy Low wrote:
> > >Hi TAC,
> > >
> > >Anyone know of any solutions to the HSRP exploits?
> > >
> > >http://www.securityfocus.com/bid/2684
> > >
> > >-andy-
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
> > FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


________________________

Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3660&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to