Re: Symantec AntiVirus and AOL

From: Dolan, David (Dolan_at_CTCGSC.ORG)
Date: 10/28/03

  • Next message: Russ: "New RPC worm?"
    Date:         Tue, 28 Oct 2003 10:57:11 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    This is not just a problem for Norton Antivirus. AOL also causes switches
    configured to use 'Port Security' by limiting the number of MACs allowed
    from a single port (IE. Hub control) to trip the 'alarm' when AOL starts up.
    AOL makes it look to the switch like a user is on a hub, and if the
    specified action on the switch is to 'disable' the port, then you get AOL
    disabling people ports, whether or not the AOL servers are firewalled out.

    The only way to ensure that you can monitor MAC count effectively, is to
    make sure that you don't have anything else creating an adapter, and using
    another MAC that would be detected by 'port security' on a cisco switch.
    (AOL probably isn't the only offender)

    --dave

    ********************************************
    David M. Dolan
    Assistant Network Administrator
    Concurrent Technologies Corporation
    100 CTC Drive
    Johnstown, PA 15904
    email: dolan@ctcgsc.org
    ********************************************

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "New RPC worm?"

    Relevant Pages

    • RE: Exploit code for IP Smart Spoofing
      ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
      (Bugtraq)
    • RE: mac duplication
      ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ...
      (Vuln-Dev)
    • Re: Ethernet switch flooding packets?
      ... course) so will have it's own MAC address. ... other VLANs there are are or how many hosts each has. ... was merely using the Ethernet switching terminology - if a switch ... doesn't know which individual port to push a frame out to, ...
      (comp.dcom.lans.ethernet)
    • Re: Network scanning
      ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ...
      (Security-Basics)
    • Re: Sniffing Internet Traffic
      ... >NIC's MAC to the new port so it can pass traffic. ... >for security because MITM ARP attacks are futile as the switch already ... >I don't know a whole lot about cable modems, but my guess is that, like ...
      (Security-Basics)