Re: Q on external router

[Bennett Todd <bet () rahul net>]

1998-04-23-01:13:28 Vinci Chou:
> After posting my question, I searched the archive at nfr.net and the
> argument by "Adam Shostack" against a switch in the DMZ was not that it
> cannot prevent sniffing but rather, it may not stand malicious attack.

If you use a switch in a DMZ setting, use it as a super-high-performance
hub, not as a security device.

> However, he did not quote any concrete evidence or example because these
> are relatively new.

I won't quote concrete evidence or example either. However, I don't
regard the question as open and unsettled:-).

Switches aren't designed as security barriers, they're designed as
high-performance hubs. Take a sniffer to a switched network; you'll see
occasional packets you wouldn't expect to. Partly this comes from the
way they work: they learn the network config by examining packets as
they sail past, and they flood everything out like a hub until they
learn each destination's whereabouts. Furthermore they'll have a finite
amount of storage for caching the CAM table and will have some kind of
space management strategy. And that's all just in the normal operation
of the switch, not talking about its support for explicitly _enabling_
sniffing, which may or may not be adequately secured.

Now if you occasionally see packets you don't need to, this doesn't
significantly hurt performance, and so it's not a defect in the switch,
at delivering its service as a high speed hub. But if you are trying to
use it as a security device, this is really nasty. Not only does it mean
there's a reduced-but-nonzero possibility of an intruder being able to
passively pick up goodies, it makes it seem very likely that a suitably
determined attacker could find a way to coerce a given switch into
passing him a packet that he shouldn't otherwise get, on demand. What
would happen, for example, if you generated a non-stop stream of
whatever packet the switch ``learns'' MAC addresses from (arp reply?) as
fast as your system can emit them, for e.g. incrementing MAC addresses,
addressed to your own MAC address, and simultaneously listen on another
port for these nastygrams. Perhaps you'd be able to empty the CAM table
in a fraction of a second, at which point it'll forget that _your_ MAC
address is on your port, and commence beaming everything everywhere; if
you see one of your nastigrams on another port you know you've blown its
brain and you (temporarily) shut down your assault, listen to the
nattering of everyone until it quiets down, then re-blow its brain. This
might go unnoticed unless someone was in the machine room and saw the
CPU load doing a conga with a back-beat.

I don't know. I _do_ know that routers are designed to control traffic,
and so are bastion hosts, whereas switches are not; it seems like a
sound principle to use them that way.

-Bennett