RE: switch jamming

From: Richard Corley (richard_corley@questsys.com)
Date: 01/31/02

• Previous message: Frog Frog: "Re: Big Security Holes in Portix-PHP Portal"
• Maybe in reply to: Jan: "switch jamming"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Richard Corley <richard_corley@questsys.com>
To: 'Anthony Gruppuso ' <AGruppus@jcals.army.mil>
Date: Thu, 31 Jan 2002 09:22:02 -0800

The Cisco switch code for many of their switches allows the use of port
security as mentioned below. However, it is not just a one-to-one
relationship. You have the ability to set a maximum number of learned mac
addresses per port. For example you can set port 7/7 to have a maximum of
18 mac address, supporting a fan out hub.

There are execeptions to this ability. You cannot set port security on a
trunk port, span port, set cam entries for a secured port, and in some cases
some gig uplink ports...these however are usually trunk port anyway.

If you have Cisco switches you should check out the documentation
specifically relating to port security for your particular switch type.

Rich

-----Original Message-----
From: Blue Boar
To: Anthony Gruppuso
Cc: vuln-dev@securityfocus.com
Sent: 1/31/02 8:15 AM
Subject: Re: switch jamming

Anthony Gruppuso wrote:
>
> Does anybody know of any switches that can protect against this type
of
> attack, or is virtually every switch affected? I imagine this is "old
> news," so what have vendors done to counteract this type of activity?
>

The Cisco switches at least can be secured against this, if you can
live with the inconvenience. If you have one machine per port, you
can configure the switch to learn the first MAC address it sees,
and then not accept frames from any other address. This means
that you can't move machines around or changes NICs without the
switch admin resetting the MAC address for the affected ports. It also
means that you can't chain multiple machines off of any ports
configured that way, say via a hub.

                                        BB

---

• Previous message: Frog Frog: "Re: Big Security Holes in Portix-PHP Portal"
• Maybe in reply to: Jan: "switch jamming"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: snort- problems ... #snort is monitoring only the machine that it is installed on. ... port on the switch that it's destination host is attached to. ... Security Engineer ... (Focus-IDS) RE: rogue IP address ... Sorry if this seems like a dumb question, but you mentioned a "port to IP" ... Does your switch have a "port to MAC address table"? ... prospectus based upon the core principle concepts of security. ... (Security-Basics) Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco) Re: Cat 2924 ... Copyright 1986-2004 by cisco Systems, ... BOX in both H/W and S/W, compared to a C2924-XL Switch... ... FastEthernet0/1 failed front-end loopback test ... to make the port configuration "visible", you need to apply 2 commands ... (comp.dcom.sys.cisco) Gigabit Flexibility with Magnum 6K32T Managed Switch from GarrettCom, Inc. ... THROUGHPUT WITH MAGNUM 6K32T MANAGED SWITCH ... Gigabit port capability to four Gb ports when compared to the ... (comp.dcom.lans.ethernet)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-01