RE: Q on external router

["Andrew J. Luca" <andrew.luca () mediaone net>]

One other point that may be relevant here is that many groups do not pay as
much attention to the security of switches as they do to the security of
either their hosts or their systems.  Since the continuous curve of features
and price is still on the downward swing, many lower-end switches now have
the ability to replicate traffic from one port to another.  It is fairly
trivial to watch what you are doing on all of your ports if you can get to
this.  You might even be able to use some of the debug features of your
switch to help you to log the packets that you are replicating.

-----Original Message-----
From:   owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]
On Behalf Of Bernhard Schneck
Sent:   Wednesday, April 22, 1998 3:32 PM
To:     Vinci Chou
Cc:     firewall-wizards () nfr net
Subject:        Re: Q on external router

In message <Pine.SUN.3.95.980422171232.27846D-100000 () is3 hk super net> you
writ
e:
> After posting my question, I searched the archive at nfr.net and the
> argument by "Adam Shostack" against a switch in the DMZ was not that it
> cannot prevent sniffing but rather, it may not stand malicious attack.
> However, he did not quote any concrete evidence or example because these
> are relatively new.

Switches have finite storage for ARP entries (usually some power of
2, say 4096 or 8192).  Flood them with enough (bogus) ARPs and most
of them will start passing all packets.

POOF.

\Bernhard.