On Wed, 31 Dec 1997, Darren Reed wrote:
> > Most good switches will allow you to set particular ports to get all
> > traffic as if it were a hub. This is where you configure the IDS.
>
> If I compromised the firewall which was directly attached to this hub
> (assuming no action gets taken until well after...) how easy is it likely
> to be for me to reprogram the hub to make my port the promiscuous one ?
> And what then will the IDS system be able to do ?
Depends on the switch and how it is configured. If remote access is
configured, and/or SNMP writes are on, then from 'trivial' to
'difficult'. If remote access isn't configured, and SNMP is off, 'virtually
impossible'. As always, any piece of network equipment placed at a point of
vulnerability (or if you're as paranoid as I tend to be, remove the 'at a
point of vulnerability') should be properly configured and that configuration
and any changes to it strongly and regularly audited.
If you've got the firewall, then you'll get most, if not all of the traffic
anyway, especially if the network was engineered correctly, so that only out
and inbound traffic hits that *physical* segment. If people are skimping on
physical security by placing VLAN type stuff at critical junctions, then
well, that's what they get, no?
Yes, some people gripe about not having network access to some equipment, and
no, it doesn't bother me a bit.
Half of security is vulnerability assessment and engineering to limit that.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
Follow-Ups:
|
|
