Re: Windows 2000 Static arp not static
From: Anthony Kim (Anthony.Kim@VW.COM)
Date: 02/24/03
- Previous message: Larry Seltzer: "RE: Monitor Services on Windows machines"
- In reply to: shannong: "RE: Windows 2000 Static arp not static"
- Next in thread: Blue Boar: "Re: Windows 2000 Static arp not static"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Feb 2003 14:16:43 -0600 From: Anthony Kim <Anthony.Kim@VW.COM> To: focus-ms@securityfocus.com
On Sun, Feb 16, 2003, shannong wrote:
> The MAC address table mappings on switches have absolutely no
> effect on this. The switch still sees the offending machine as
> having the correct MAC address and the victim as having the
> correct MAC address. This exploit works due to the ARP cache
> poisoning of the victim as discussed in this thread.
That's why you "lock" the tables on the switches if you really
have to.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cnfg_gd/sec_port.pdf
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_implementation_white_paper09186a008014870f.shtml
If your threat model is such that you are considering static arp
tables on each host, you will have to consider alternatives that
are manageable.
> You prevent this from happening like you do other exploits. Use an IDS.
> One that detects these ARP flip-flops.
>
> -Shannon
IDS will not "prevent this from happening".
I wrote:
> Most people would lock arp tables on the switch and not on the
> host. If you're relying on MS-technology only, you probably have
> a boatload of other problems to take care of... ;-)
- Next message: Thane Walkup: "RE: MS Software Update Service"
- Previous message: Larry Seltzer: "RE: Monitor Services on Windows machines"
- In reply to: shannong: "RE: Windows 2000 Static arp not static"
- Next in thread: Blue Boar: "Re: Windows 2000 Static arp not static"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
