From: Bauer, Rick (BAUERR@toysrus.com)
Date: Thu Sep 05 2002 - 10:18:16 GMT-3
Security is futile, here is a nice little Linux tool that allows you to
sniff on a switch without using the span port at all. It does it by
interception (poisoning the hosts arp cache) and resending the data to the
proper host. Pretty cool stuff. Check out the forums for more detailed
information.
http://ettercap.sourceforge.net
-----Original Message-----
From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
Sent: Wednesday, September 04, 2002 6:52 PM
To: 'ccielab@groupstudy.com'
Subject: RE: port security and SPAN
Ok, No answers :(
Well, I repeated all steps described below on the other switch 5513 sup III
CatOS 5.5.(13a)
(first test was done on 5000 sup II CatOS 4.x)
When I tried to configure "set port security 3/6 enable" on port were
destination SPAN was previously configured, I got message.
"Feature not allowed on span port" - switch refused it.
Well, I put "set port security 3/6 00-10-4b-a2-e7-39" and It was accepted.
Again I got "monitor" port that was able to capture packet on other port and
"port security" enabled the same time.
So, despite here
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_5/sw_cfg/s
ec_port.htm
said "You cannot configure port security on a SPAN destination port and vice
versa." - You can do it !
Now, looks like here again issue of interpretation of words on CCO, because:
Sniffer can be not configured for TCP/IP. You can unbind TCP/IP from NIC and
leave only sniffer driver enabled on NIC.
This is well known "stealth mode". In this case switch port will not learn
any mac address on span port where sniffer is plugged in. So "Port Security"
- even being enabled - just doesn't make sense in this case !
I think the sentence "You cannot configure port security on a SPAN
destination port and vice versa." can be interpreted as:
"You can do it, but Why ? Since Port security will not be able do its
functions it has to do."
Taken into consideration all above and.. below looks like it's very unsecure
to leave span port enabled since there no any steps can be done to prevent
any user plug anything and sniff traffic if span session exist already.
Can somebody disprove it ?
Thanks,
Dmitry
> -----Original Message-----
> From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
> Sent: Friday, August 30, 2002 3:35 PM
> To: 'ccielab@groupstudy.com'
> Subject: port security and SPAN
>
>
> Hi,
>
> cco said : You cannot configure port security on a SPAN
> destination port and
> vice versa
> I tried to configure it and it works. What I did:
>
> 1) plug sniffer laptop (mac 00-10-4b-a2-e7-39) to port 3/6
> 2) sw-9> (enable) set span 3/2 3/6
> 3) sw-9> (enable) set port security 3/6 ena
> 4) 2002 Aug 30 09:51:46 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port 3/6
> shutdown due t
> o security violation - Port went to "shutdown"
> 5) sw-9> (enable) set port 3/6 enable
> And now I have port monitor status and security enabled.
> Sniffer captures packets comming to/from port 3/2
>
> sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 monitor 30 high a-full a-100
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 No
> disabled 268
>
> sw-9> (enable) sh span
> Status : enabled
> Admin Source : Port 3/2
> Oper Source : Port 3/2
> Destination : Port 3/6
> Direction : transmit/receive
> Incoming Packets: disabled
>
> 6) I unplugged laptop from 3/6 plugged other host to 3/6 (differ mac)
> sw-9> (enable) 2002 Aug 30 10:08:39 EST -04:00
> %SPANTREE-3-PORTDEL_FAILNOTFOUND:
> 3/6 in vlan 30 not found (LinkUpdPrcs)
> 2002 Aug 30 10:08:41 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port
> 3/6 shutdown
> due t
> o security violation
>
> sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 shutdown 30 high auto auto
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 00-00-0c-4e-47-88 Yes
> disabled 268
>
> 7) I unplugged this host from 3/6 and plugged laptop back to port 3/6
> 8) sw-9> (enable) set port enable 3/6
> 9) sw-9> (enable) sh port 3/6
> Port Name Status Vlan Level Duplex
> Speed Type
> ----- ------------------ ---------- ---------- ------ ------ -----
> ------------
> 3/6 monitor 30 high a-full a-100
> 10/100BaseTX
>
> Port Security Secure-Src-Addr Last-Src-Addr Shutdown
> Trap IfIndex
> ----- -------- ----------------- ----------------- --------
> -------- -------
> 3/6 enabled 00-10-4b-a2-e7-39 No
> disabled 268
>
> Laptop captures packets.
>
> ANY Comments ?
>
> Thanks,
>
> Dmitry
>
> sw-9> (enable) sh ver
> WS-C5000 Software, Version McpSW: 4.5(9) NmpSW: 4.5(9)
> Copyright (c) 1995-2000 by Cisco Systems
> NMP S/W compiled on Sep 28 2000, 15:21:37
> MCP S/W compiled on Sep 28 2000, 15:25:26
> _________________________________________________________________
> Commercial lab list: http://www.groupstudy.com/list/commercial.html
> Please discuss commercial lab solutions on this list.
========================================================================
This email message is for the sole use of the intended recipient (s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message. To reply to our email administrator directly, send
an email to EmailAdmin@toysrus.com.
Toys "R" Us, Inc.
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3