Home Page   #javascript  #perl  #c  #openmoko  #php  #ruby-lang  #apache  #cisco  #java  #mysql   Wallpapers Girl
Reliable $1 Web Hosting by 3iX

Channels


#cisco

03 January 2008

Total 4 pages. You are browsing page 2/4.

First :: Prev :: [1] [2] [3] [4] [5] [...] :: Next :: Last

00:19 <****> Perdition: well it uses the database from dhcp snooping
00:20 <****> yeah but this network doesn't use DHCP
00:20 <****> all IP addresses are static
00:20 <****> you can enter the mappings manually
00:21 <****> that would be a headache, is there a sticky mac option for the dhcp tables?
00:22 <****> you can have the macs sticky, but not the IP address information
00:22 <****> same thing as port security alone
00:23 <****>mac mappings
00:23 <****> it's virtually impossible to spoof both IP and MAC information on a LAN with these working?
00:23 <****> it pretty much blocks all layer 2 MiM attacks
00:23 <****> if its the same pair on the same port, spoofing is still possible
00:25 <****> two hosts with one being authentic and the other being an attackers, it still does nothing, i need to address this issue
00:26 <****> if you care abour rouge devices, deploy 802.1x along with port security/propoer interface configuration
00:26 <****> yeah well at that point i'll just steal the computer
00:26 <****> that setup i just mentioned also bypasses dot1x supposedly
00:27 <****> use port security for mac number of macs
00:27 <****> DAI is good for MiM when a different port is used
00:27 <****> yeah but you are talking about phyically adding another switch somewhere
00:27 <****> Perdition: you can play this ping-pong game endless
00:27 <****> yeah but the attacker has the same MAC and IP
00:27 <****> i'll install a keylogger on the keyboard a lot easier
00:27 <****> the question is if there is an answer to this ping pong game
00:27 <****> or it's unresolved in today's industry
00:28 <****> no
00:28 <****> this is the first time i've ever heard of this scenario
00:28 <****> its an ever evolving problem
00:28 <****> exactly
00:28 <****> on real way to secure shit, NAC at the edge
00:29 <****> http://www.keyghost.com/USB-Keylogger.htm <-- lot easier than getting a switch and plugging my pc in and spoofing mac and ip
00:29 <****> your talking about a physical security issue imho
00:30 <****> the USB wouldn't work since the GPO doesn't allow outside media
00:30 <****> although i assume a bootdisk can bypass that at any rate can't it?
00:30 <****> hehe
00:30 <****> this is a keylogger
00:30 <****> no software needed
00:30 <****> you can always just get the inline keylogger
00:30 <****> usb or ps2 version
00:31 <****> the have ps2 versions as well
00:31 <****> yeah
00:31 <****> again, physical issue
00:31 <****> a sound security policy/posture addresses both physical and logical security elements
00:31 <****> a lack of one or the other is failure.
00:31 <****> ps2 version of a keylogger? awesome, although kind of a problem since the user would notice he is missing one of two ps2 interfaces
00:31 <****> i suppose so
00:31 <****> its inline
00:31 <****> are you daft?
00:32 <****> how does an inline keylogger work?
00:32 <****> im off
00:32 <****> take care
00:32 <****> good night
00:32 <****> 1) install logger between PC and keyboard 2) plug keyboard into loger 3) wait a while then retrieve strokes.
00:32 <****> it captures the keystokes to an internal flash and then sends the stroke back to the computer as well
00:32 <****> someone compromises a machine, has access to the private network, if you really made a private network, there access is limited through the private network
00:33 <****> actually bugging the keyboard
00:33 <****> yeah
00:33 <****> you can combat such issues through using elements such as a secureid token
00:33 <****> again, $$$$$
00:33 <****> which it's more covert and easier and garanteed to get a password than setting up a switch on a users port
00:33 <****> if they have physical access, the machine can be owned. it's just about that simple.
00:34 <****> if it can't be, an admin can brick the thing and turn it worthless, which is its own problem.
00:35 <****> someone compromising a machine, and hacking machines on the private side is a pretty big stretch, if you use something like private vlans
00:35 <****> and isolate all the hosts
00:35 <****> if they are plugging in switches are shit, like everyone said you got bigger problems
00:36 <****> bigger problems which supposedly have no resolution unless i plan on implementing ipsec or something equally large-scale to combat them
00:36 <****> and even then, if they have that kind of access and can't be trusted, they may just steal the harddisk
00:37 <****> do you actually have a problem statement behind this conversation
00:37 <****> or are we jacking off.
00:38 <****> there is a demand for my network to deal with as many MiM problems as possible, and the scenario i gave you is one they supplied
00:38 <****> a dot1x LAN with a hostile computer using a rogue switch with the supplicant on the other end
00:38 <****> if there is no way to deal with it practically, then that's that
00:39 <****> perdition: bigger problems as in ipsec won't help you
00:39 <****> your problem is an issue of logical and physical elements
00:39 <****> you need to address your security architecture rather than having #cisco fix your stuff.
00:39 <****> i looked online for awhile and the advisors we have couldn't come up with anything
00:40 <****> i better read up before i comment.
00:40 <****> i've turned to this channel because there are people who work in the industry here who may have met a similar demand
00:40 <****> hmm
00:40 <****> thats a tricky scenario
00:40 <****> i would investigate solutions that are NAC based
00:41 <****> meaning if they don't have the antivirus signature and so on, they're not legit
00:41 <****> and other things
00:41 <****> expensive solution?
00:41 <****> vey
00:41 <****> very
00:41 <****> scalable and practical, money aside
00:41 <****> ?
00:41 <****> actually 802.1x and multiple hosts of a single port has been fixed
00:41 <****> let me find a link
00:42 <****> thanks nem :)
00:42 <****> you could always go security-nuts deep and do PVLANs and access lists to only connect to a VPN box, thus all user lans treated as "public" zones
00:42 <****> how do you fix that?
00:42 <****> even if someone takes over MAC+IP, the vpn session would prevent any compromising of network access
00:42 <****> add NAC on to that, and you can also prevent infected/jacked machines from connecting to corporate too.
00:43 <****> Unter you have a NAC?
00:43 <****> nope
00:43 <****> well that was the plan with every host using IPSEC to the firewall, although the technicians think it would be a bit of a headache to manage
00:43 <****> im just brain storming
00:43 <****> i dont think anyone has implemented NAC yet
00:43 <****> its not there yet
00:43 <****> you could hack a machine with nac, and route through it :)


Total 4 pages. You are browsing page 2/4.

First :: Prev :: [1] [2] [3] [4] [5] [...] :: Next :: Last

Tutti i nuovi CAP Italiani. Come ottenere il database completo