Re: Router/Switches and viruses

From: Per Engelbrecht (per_at_xterm.dk)
Date: 05/05/05

  • Next message: Derek Nash: "Re: Router/Switches and viruses" 
    Date: Thu, 05 May 2005 11:08:39 +0200
To: Seek Knowledge <aseeker03@yahoo.com>, focus-ids@securityfocus.com

    Seek Knowledge wrote:
    > Does anyone have any first-hand experience with a
    > single infected desktop machine (or windows server for
    > that matter) taking out a LAN switch? Would anyone
    > have any stories from the trenches of an infected
    > machine causing a directly connected router to stop
    > functioning?
    >
    > If so, what could be done to prevent such an outage?
    > What IDS/IPS strategy might one implement to prevent
    > and or at least detect such an event?

    If I understand your question right, you're asking for a way to protect
    your switche(s).

    Most common attack against switches is arp-cache-poison.
    Solution: mac-lockdown (static mac) i.e. one mac per int.

    Another risk is snmp.
    Solution: use snmpv2 (or better) and change community-name N times per year.

    Also monitor on your span ports and put all swiches on another network
    than the one they're switching for. (==unreachable by nodes)

    /per
    per@xterm.dk

    >
    > Thanks in advance.
    > ASeeker
    >
    > ________________________________________________________________________
    > Yahoo! Messenger - Communicate instantly..."Ping"
    > your friends today! Download Messenger Now
    > http://uk.messenger.yahoo.com/download/index.html
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Derek Nash: "Re: Router/Switches and viruses"