Check out this link. Is this kinda what you folks are talking about here?
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54671,00.html
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Priscilla Oppenheimer
Sent: Tuesday, May 08, 2001 11:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
What is Ethernet emulation? It's definitely true that Ethernet is being
used across long distances, if that's what you mean. With single mode
fiber-optic cabling, Ethernet can span miles. Physical access is a
different story in this case, of course. The cables may actually be in
public places. They would be overhead on poles or underground, I guess,
though, wouldn't they?
I think it would still be very difficult to wreak havoc. Physical access
would be difficult, and even if you had it, network-layer hacking would be
hard to achieve. Wishful thinking? :-]
Thanks
Priscilla
At 02:27 PM 5/9/01, Kevin Wigle wrote:
>However, Ethernet emulation is becoming quite popular and very price
>competitive.
>
>I have clients who have HSRP running on what would normally be called "WAN"
>ports but they are ethernet. The HSRP virtual address is visible to the
>world and therefore it is vunerable.
>
>I agree that traditionally HSRP has been used on the inside interfaces so
>therefore your vunerability is from the inside where you should have
>personnel/physical security in place.
>
>IPSec is cool but involves more cost to deploy an IPSec capable IOS/router
>if you're not already using IPSec. Perhaps this is just another reason to
>do so.
>
>Someone also commented on the overhead of IPSec encrypting/decrypting HSRP
>hellos every 3 seconds. Perhaps adjusting the HSRP timers would alleviate
>this.
>
>But times they are a changing. The lines between LAN and WAN are blurring.
>It seems Brian's solution for an access-list will be a stop gap measure for
>now.
>
>Kevin Wigle
>
>----- Original Message -----
>From: Priscilla Oppenheimer
>To:
>Sent: Tuesday, May 08, 2001 1:38 PM
>Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> > The HSRP "exploits" aren't anything new. If you have physical access to
>the
> > target LAN, the ability to sniff packets, and the ability to send
packets,
> > of course you can wreak havoc. Not only could you send bad HSRP packets
>but
> > you could respond to ARPs, send bad routing protocol packets, etc. etc.
> > etc. The only real solutions are physical security and hiring people you
> > trust!?
> >
> > Also, instead of using HSRP you could use the Virtual Router Redundancy
> > Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> > replacement for HSRP.
> > The Security Considerations section explains authentication options,
> > including using IPSec.
> >
> > Priscilla
> >
> > At 11:20 PM 5/7/01, Andy Low wrote:
> > >Hi TAC,
> > >
> > >Anyone know of any solutions to the HSRP exploits?
> > >
> > >http://www.securityfocus.com/bid/2684
> > >
> > >-andy-
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
> > FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________
Priscilla Oppenheimer
http://www.priscilla.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3950&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
