Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Router/Switches and viruses

from [THolman] Network Security [Permanent Link]
Subject: RE: Router/Switches and viruses
Date: Thu, 19 May 2005 20:11:28 -0400 
Hi Aseeker,

I've worked with several worm breakouts and multiple DDOS attacks over the
past year.  Switches are generally not a problem (although bear in mind some
low end switches will have problems with volume), but ROUTERS are.
Most of the time, a low-end router will need to have ACLs disabled in order
to stay up.  A router is designed to forward traffic, rather than process
the traffic according to an ACL, and then forward it.  ACLs take up a lot of
resource.  If you then pass multiple-source volumes of traffic through such
a router, you will kill it.
I have seen a single desktop machine take out a switch though, but only as
it was a source of a broadcast storm, and was plugged twice into the same
switch...
To prevent such an outage, make sure your L2 and L3 infrastructure can
handle the maximum packets per second that each device can throw at it...
If you run out of capacity, turn to Foundry or Extreme.
To mitigate the affects of such a 'rogue' PC, ensure you have things like
STP enable to cut out loops, and also segregate PCs into disparate LANs, and
place an IPS in between to mitigate/stop the propagation of zero-day
worms/viruses.

From what you've said, it is more network design that is your potential

problem.  A NIDS and Sniffer will help you out in the long run as means of
forensics, but only an IPS will PROTECT your networks if you deem that
through risk analysis, this is protection you cannot do without.

Regards,

Tim 


-----Original Message-----
From: Seek Knowledge [mailto:aseeker03@yahoo.com] 
Sent: 03 May 2005 22:41
To: focus-ids@securityfocus.com
Subject: Router/Switches and viruses

Does anyone have any first-hand experience with a
single infected desktop machine (or windows server for
that matter) taking out a LAN switch? Would anyone
have any stories from the trenches of an infected
machine causing a directly connected router to stop
functioning?

If so, what could be done to prevent such an outage?
What IDS/IPS strategy might one implement to prevent
and or at least detect such an event?

Thanks in advance.
ASeeker

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS ISS, Siddharth Phadnis
Next by Date:  RE: SIM Tools, and endpoint security., THolman
Previous by Thread:  RE: Router/Switches and viruses, Steven Williams
Next by Thread:  Snort & email, Dan S Baxter
Indexes:  [Date] [Thread] [Top] [All Lists]