Re: Symantec AntiVirus and AOL

• Previous message: Maxim S. Shatskih: "Re: [Full-Disclosure] Symantec AntiVirus and AOL"
• Maybe in reply to: Joshua Levitsky: "Symantec AntiVirus and AOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 28 Oct 2003 10:57:11 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

This is not just a problem for Norton Antivirus. AOL also causes switches
configured to use 'Port Security' by limiting the number of MACs allowed
from a single port (IE. Hub control) to trip the 'alarm' when AOL starts up.
AOL makes it look to the switch like a user is on a hub, and if the
specified action on the switch is to 'disable' the port, then you get AOL
disabling people ports, whether or not the AOL servers are firewalled out.

The only way to ensure that you can monitor MAC count effectively, is to
make sure that you don't have anything else creating an adapter, and using
another MAC that would be detected by 'port security' on a cisco switch.
(AOL probably isn't the only offender)

--dave

********************************************
David M. Dolan
Assistant Network Administrator
Concurrent Technologies Corporation
100 CTC Drive
Johnstown, PA 15904
email: dolan@ctcgsc.org
********************************************

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: Maxim S. Shatskih: "Re: [Full-Disclosure] Symantec AntiVirus and AOL"
• Maybe in reply to: Joshua Levitsky: "Symantec AntiVirus and AOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Exploit code for IP Smart Spoofing ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ... (Bugtraq) RE: mac duplication ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ... (Vuln-Dev) Re: Network scanning ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ... (Security-Basics) Re: Sniffing Internet Traffic ... >NIC's MAC to the new port so it can pass traffic. ... >for security because MITM ARP attacks are futile as the switch already ... >I don't know a whole lot about cable modems, but my guess is that, like ... (Security-Basics) RE: Strange pings from 127.0.0.1 ... >> As for the MAC, it just doesn't make any sense to me. ... >> every active port on the switch. ... >pen testing experience in our state of the art hacking lab. ... (Security-Basics)