IDS: Re: Router/Switches and viruses

[Per Engelbrecht <per () xterm dk>]

Seek Knowledge wrote:
> Does anyone have any first-hand experience with a
> single infected desktop machine (or windows server for
> that matter) taking out a LAN switch? Would anyone
> have any stories from the trenches of an infected
> machine causing a directly connected router to stop
> functioning?
>
> If so, what could be done to prevent such an outage?
> What IDS/IPS strategy might one implement to prevent
> and or at least detect such an event?
If I understand your question right, you're asking for a way to protect 
your switche(s).
Most common attack against switches is arp-cache-poison.
Solution: mac-lockdown (static mac) i.e. one mac per int.

Another risk is snmp.
Solution: use snmpv2 (or better) and change community-name N times per year.

Also monitor on your span ports and put all swiches on another network 
than the one they're switching for. (==unreachable by nodes)
/per
per () xterm dk



> Thanks in advance.
> ASeeker
>
> ________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------