Firewall Wizards mailing list archives
Re: Q on external router
From: Bennett Todd <bet () rahul net>
Date: Wed, 22 Apr 1998 10:49:54 -0700
1998-04-23-01:13:28 Vinci Chou:
After posting my question, I searched the archive at nfr.net and the argument by "Adam Shostack" against a switch in the DMZ was not that it cannot prevent sniffing but rather, it may not stand malicious attack.
If you use a switch in a DMZ setting, use it as a super-high-performance hub, not as a security device.
However, he did not quote any concrete evidence or example because these are relatively new.
I won't quote concrete evidence or example either. However, I don't regard the question as open and unsettled:-). Switches aren't designed as security barriers, they're designed as high-performance hubs. Take a sniffer to a switched network; you'll see occasional packets you wouldn't expect to. Partly this comes from the way they work: they learn the network config by examining packets as they sail past, and they flood everything out like a hub until they learn each destination's whereabouts. Furthermore they'll have a finite amount of storage for caching the CAM table and will have some kind of space management strategy. And that's all just in the normal operation of the switch, not talking about its support for explicitly _enabling_ sniffing, which may or may not be adequately secured. Now if you occasionally see packets you don't need to, this doesn't significantly hurt performance, and so it's not a defect in the switch, at delivering its service as a high speed hub. But if you are trying to use it as a security device, this is really nasty. Not only does it mean there's a reduced-but-nonzero possibility of an intruder being able to passively pick up goodies, it makes it seem very likely that a suitably determined attacker could find a way to coerce a given switch into passing him a packet that he shouldn't otherwise get, on demand. What would happen, for example, if you generated a non-stop stream of whatever packet the switch ``learns'' MAC addresses from (arp reply?) as fast as your system can emit them, for e.g. incrementing MAC addresses, addressed to your own MAC address, and simultaneously listen on another port for these nastygrams. Perhaps you'd be able to empty the CAM table in a fraction of a second, at which point it'll forget that _your_ MAC address is on your port, and commence beaming everything everywhere; if you see one of your nastigrams on another port you know you've blown its brain and you (temporarily) shut down your assault, listen to the nattering of everyone until it quiets down, then re-blow its brain. This might go unnoticed unless someone was in the machine room and saw the CPU load doing a conga with a back-beat. I don't know. I _do_ know that routers are designed to control traffic, and so are bastion hosts, whereas switches are not; it seems like a sound principle to use them that way. -Bennett
Current thread:
- Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Bernhard Schneck (Apr 22)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router Vinci Chou (Apr 22)
- RE: Q on external router Andrew J. Luca (Apr 24)
- Re: Q on external router Marcus J. Ranum (Apr 23)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Paul D. Robertson (Apr 24)