Gary Fylnn writes:
> A more secure way would be to replace the hub with a
> switch that supports VLANS and create two sub-interfaces
> on the router to feed the two VLANS. You'd have more
> isolation. However, even VLANs aren't commonly accepted
> as a security isolator. However, in my limited understanding,
> to compromise them you need access to the physical wire to
> inject packets.
As long as you can get access to one of the two hosts I
don't think that you'll need access to the wire. Once
on one of these machines ( A or B ) you might try the
following:
1) If on A then inject packets with B's IP address, or an
IP address on B's subnet. You may be able to get the
switch to add A's port to B's VLAN. From there you
may be able to ascertain B's mac address via broadcast
traffic.
2) If on A then forge frames with B's mac address (which
you may have obtained above). You may be able to get
the switch to think that packets for B should be sent
to both A's port and B's port.
3) If on A then forge frames that look like they come
from a switch belonging to B's VLAN.
4) If on A then forge frames to convice the switch that
you're a bridge connected to B. (Gotta love that layer
2 routing.)
5) If on A then try overflowing the IP-Mac tables of the
switch while also pumping out packets with B's
IP address and A's mac address. You may succeed in
convincing the switch that A is in fact B when it
finally dumps the entry for B.
I'm quite certain that I've just begun to scratch the surface
of the kinds of misdirection that you can pull with a switch.
While it may be possible to lock down the ports to a given
VLAN (in theory) I'm reasonably certain that it would be simpler
to use a small router in place of the switch, and I'm sure that
it be easier to get the correct behavior from the router.
- Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
