RE: Router/Switches and viruses
THolman_at_toplayer.com
Date: 05/20/05
- Previous message: Matthew Watchinski: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Maybe in reply to: Seek Knowledge: "Router/Switches and viruses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: aseeker03@yahoo.com, focus-ids@securityfocus.com Date: Thu, 19 May 2005 20:11:28 -0400
Hi Aseeker,
I've worked with several worm breakouts and multiple DDOS attacks over the
past year. Switches are generally not a problem (although bear in mind some
low end switches will have problems with volume), but ROUTERS are.
Most of the time, a low-end router will need to have ACLs disabled in order
to stay up. A router is designed to forward traffic, rather than process
the traffic according to an ACL, and then forward it. ACLs take up a lot of
resource. If you then pass multiple-source volumes of traffic through such
a router, you will kill it.
I have seen a single desktop machine take out a switch though, but only as
it was a source of a broadcast storm, and was plugged twice into the same
switch...
To prevent such an outage, make sure your L2 and L3 infrastructure can
handle the maximum packets per second that each device can throw at it...
If you run out of capacity, turn to Foundry or Extreme.
To mitigate the affects of such a 'rogue' PC, ensure you have things like
STP enable to cut out loops, and also segregate PCs into disparate LANs, and
place an IPS in between to mitigate/stop the propagation of zero-day
worms/viruses.
From what you've said, it is more network design that is your potential
problem. A NIDS and Sniffer will help you out in the long run as means of
forensics, but only an IPS will PROTECT your networks if you deem that
through risk analysis, this is protection you cannot do without.
Regards,
Tim
-----Original Message-----
From: Seek Knowledge [mailto:aseeker03@yahoo.com]
Sent: 03 May 2005 22:41
To: focus-ids@securityfocus.com
Subject: Router/Switches and viruses
Does anyone have any first-hand experience with a
single infected desktop machine (or windows server for
that matter) taking out a LAN switch? Would anyone
have any stories from the trenches of an infected
machine causing a directly connected router to stop
functioning?
If so, what could be done to prevent such an outage?
What IDS/IPS strategy might one implement to prevent
and or at least detect such an event?
Thanks in advance.
ASeeker
________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Matthew Watchinski: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Maybe in reply to: Seek Knowledge: "Router/Switches and viruses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
