427 Botnet fm qxd

the fan-out attack can be reduced.This design idea simply limits
exposure to possible Layer 2 problems from both from the redun-
dancy point of view and the “your neighbors might be dangerous”
point of view.
2. The default ARP cache timeout value on Cisco routers is 4 hours.
The default forwarding table timeout on switches is likely to be 5
minutes. Ironically, adaptive learning in Layer 2 switches is typically a
side effect of an ARP broadcast. As a result, the switch learns where
the sender lives and stops flooding Unicast packets to it in the direc-
tion of other hosts. If, however, the flooding is happening because the
switch does not know where the host is to be found and a hacker
installs a password sniffer on another host, the hacker could see
Unicast packets you would very much like for them to not see.The
hacker does not need to attack the switch with a forwarding table
overflow attack. All he or she needs to do is wait, and, of course, pro-
grams are very good at waiting.You might set the switch forwarding
table time to match the router or choose a compromise time with
the forwarding table time set higher and the router time set lower. In
any case, setting them to be the same to minimize Unicast segmenta-
tion failure seems a good idea.
3. It can be useful to combine VLANs on switches and router ACLs to
simply make IP addresses assigned to network infrastructure devices
such as wireless access points and Ethernet switches unreachable by
ordinary hosts. For example, all the switch ports might be “findable”
on private net 10/8 and made reachable by a VLAN (or two). As a
result, we can hope that the local malware infection cannot launch an
attack against infrastructure boxes.
One final point is that switches can have logging as well. Logging based
on various Layer 2 isolation violations can thus alert you to a hacked system.

Download 6,98 Mb.

Do'stlaringiz bilan baham: