> -----Original Message----- > From: Paul D. Robertson [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 07:41 > To: Gary Flynn > Cc: [EMAIL PROTECTED] > Subject: Re: Cisco IDS > > On Fri, 12 Apr 2002, Gary Flynn wrote: > > > I'm certainly not going to argue with you about other means of > > segmentation being more secure but > > I'm wondering what the actual risk level is. The only vulnerability > > report I've seen requires the > > following conditions: > > > [snip] > > > > Are you aware of any other vulnerabilities or exploits? > > The ability to DoS the internal network if you can make the switch too > busy is the most obvious one- and that can be pretty easy in some > scenerios.
Where is that one? How does one DoS a switch that generally has a >3GB backplane with traffic that comes from a generally <100MB pipe? > There've been rumbles of very interesting taged queueing issues > (802.1q) for ~4 years now, I highly doubt the DoS attacks Cisco fixed are > the end of that train. Rumbles don't always mean anything. People have been rumbling about how Linux is the next end all be all for years too. Still not seeing that. > I wouldn't put money on either spanning tree or Cisco Discovery Protocol > not > having a problem or two even this late in the game (heck SNMP has been > around for ever and the last round of stuff *only* looked at V1 of the > protocol.) This is a bad jump of logic. The SNMP "stuff" has existed and been *known* for over 10 years. It's only when a vendor came out with a product to scan for the vulnerabilities that they suddenly became issues. > I'm not sure how the "fill up the CAM table" thing works these days, but I > doubt that the default "broadcast on every port" logic is completely > ripped out of the switch code for each set of things that would ever > trigger it. You are making an uninformed statement here. Either it is, or it isn't but saying "I doubt" isn't really a credible statement in this context. > The most important thing though is that a single configuration change > completly and utterly destroys your security posture. Think about the > last few worms which have gotten to internal networks, add a switch > component to the mix and think about how "safe" that architecture is > (disallowing remote access to a DMZ-only switch is pretty easy, internal > switches all tend to have IP addresses and SNMP on these days.) This is true in separate switch environments. > One bug, one mistake, one malicious act - mix it with one single point > of failure, and everything's exposed. Hell, a dumb switch for the DMZ is > a *trivial* ammount of money these days. No doubt on this point. Heck, a hub in my mind makes an even better solution. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
