[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq3 admin & root passwords

Subject: Re: [cobalt-users] Raq3 admin & root passwords
From: Chris Adams <cmadams@xxxxxxxxxx>
Date: Wed Apr 26 09:10:09 2000

Once upon a time, Jens Kristian Søgaard <jk@xxxxxxxxxxxx> said:
> "Michael Zimmermann" <zim@xxxxxxxx> writes:
> > But don't you think, if one of the hundreds of machines on your
> > ISP's subnet is compromised, it would be possible to
> > get all the others on the subnet by running a snooper
> > on the one which got hacked?
> 
> Have you looked at the network structure of an ISP?
> 
> They do not have workstations (or whatever) put directly down on the
> same subnet and physical segments as their dial-up / xDSL customers.
> 
> I.e. you can't start a sniffer or something like that to get data.

Not over dialup or anything like that, but in a colocation farm a lot of
times all of the colo equipment is just plugged into a single ethernet
switch.

> > Or do you think the normal ISP is checking for promiscuous 
> > cards on their subnets? I don't know. Just asking.
> 
> You would normally hook up equipment on a switch, which provides a new
> physical segment for each connections.
> 
> I.e. promiscous NIC's don't have access to any data other than the
> data destined for it's own IP.

In an ideal world, yes.  However, there are several problems with this.
Say your server and my server were plugged into an ethernet switch.
Every time there is an ARP request for your IP address, I could answer
(and there are ways to make sure that _my_ answer is heard instead of
yours).  Then, I could filter all traffic for your IP through my server
by receiving the packets, looking at them, and then resending them to
your ethernet MAC address.

It is also possible to overload many switches so they just fall back to
sending all packets to all ports.

All ethernet broadcast traffic is sent to all ports on a switch.

Basically, a switch should NEVER be considered a security measure.  If
you want security, go with a router.  You can use a switch that does
VLANs and VLAN trunking with a router that does VLAN trunking to
separate switch ports into truly separate networks.

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.

Follow-Ups:
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Jens Kristian Søgaard

References:
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Jens Kristian Søgaard
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Michael Zimmermann
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Jens Kristian Søgaard
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Michael Zimmermann
- Re: [cobalt-users] Raq3 admin & root passwords
  - From: Jens Kristian Søgaard

Prev by Date: [cobalt-users] admin/root password concern
Next by Date: [cobalt-users] [Qube2] odd e-mail problem
Previous by thread: Re: [cobalt-users] Raq3 admin & root passwords
Next by thread: Re: [cobalt-users] Raq3 admin & root passwords

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index