Hi, I've heard about possible attacks below osi levels 2 and 3, i.e. againts the network card driver and the HW or something like that. Does anybody know something about ? Is there somewhere specific documentation / information / tools to document and address that kind of vulnerability ? Any info appreciated, Olivier. ------------------------------------------------------------------------------------------------ Olivier Hislaire MSG International Email: O.Hislaire@msg-i.com 97 Avenue de Tervuren Phone: +32 (0)2 735.91.59 Ext. 55 1040 Brussels Fax: +32 (0)2 732.12.19 Belgium http://www.msg-i.com ------------------------------------------------------------------------------------------------
On Fri, Mar 01, 2002 at 10:20:05AM +0100, Olivier Hislaire wrote:
Hi,
I've heard about possible attacks below osi levels 2 and 3, i.e. againts the network card driver and the HW or something like that. Does anybody know something about ? Is there somewhere specific documentation / information / tools to document and address that kind of vulnerability ?
Any info appreciated,
Olivier.
The only thing below OSI layer 2 is the physical layer. I've never heard of attacks on the firmware of a network card unless it somehow allows remote flash upgrades or something. I don't think you have much to worry about. Also, remember that TCP/IP doesn't use OSI protocols, it is a 4 layer system that doesn't map very well to the OSI model. Most modern attacks are actually above layer 3 using buffer overflows or flaws in things like web scripting services (CGI, ASP, PHP), FTP servers, Mail servers, etc. And the most popular in the Windows world are executable e-mail attachments. Here are some good security sites to bookmark: http://www.cert.org/ http://www.securityfocus.com/ http://www.antionline.com/ Regards, Keith -- LPIC-2, MCSE, N+ wielder of vi(m), an ancient, dangerous and powerful magic Don't get lost, show no fear, and you'll be ready for a new frontier -- d.w.
Thanks Keith, you make me feel a little bit more comfortable. Since, some kind of security specialist who wants me to be very afraid (because he has services to sell) told me the following: 1) he claims most of the attack today occur below IP (I am unsure of this), 2) he claims my DMZ (ethernet) can be reached by encapsulating ethernet frames within an IP packet and that 3) using this way (or another ?) it is easy to attack my hosts using low-level protocols weakness (arp, and so on) His conclusion is that we're weak - of course. What do you think of this ? I am browsing the net since a couple of hours looking for information about that kind of treads but can hardly find relevant references. Olivier. At 07:55 AM 3/1/02 -0500, you wrote:
On Fri, Mar 01, 2002 at 10:20:05AM +0100, Olivier Hislaire wrote:
Hi,
I've heard about possible attacks below osi levels 2 and 3, i.e. againts the network card driver and the HW or something like that. Does anybody know something about ? Is there somewhere specific documentation / information / tools to document and address that kind of vulnerability ?
Any info appreciated,
Olivier.
The only thing below OSI layer 2 is the physical layer. I've never heard of attacks on the firmware of a network card unless it somehow allows remote flash upgrades or something. I don't think you have much to worry about. Also, remember that TCP/IP doesn't use OSI protocols, it is a 4 layer system that doesn't map very well to the OSI model.
Most modern attacks are actually above layer 3 using buffer overflows or flaws in things like web scripting services (CGI, ASP, PHP), FTP servers, Mail servers, etc. And the most popular in the Windows world are executable e-mail attachments.
Here are some good security sites to bookmark:
http://www.cert.org/ http://www.securityfocus.com/ http://www.antionline.com/
Regards, Keith -- LPIC-2, MCSE, N+ wielder of vi(m), an ancient, dangerous and powerful magic Don't get lost, show no fear, and you'll be ready for a new frontier -- d.w.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
------------------------------------------------------------------------------------------------ Olivier Hislaire MSG International Email: O.Hislaire@msg-i.com 97 Avenue de Tervuren Phone: +32 (0)2 735.91.59 Ext. 55 1040 Brussels Fax: +32 (0)2 732.12.19 Belgium http://www.msg-i.com ------------------------------------------------------------------------------------------------
On Fri, Mar 01, 2002 at 05:25:09PM +0100, Olivier Hislaire wrote:
1) he claims most of the attack today occur below IP (I am unsure of this), 2) he claims my DMZ (ethernet) can be reached by encapsulating ethernet frames within an IP packet and that 3) using this way (or another ?) it is easy to attack my hosts using low-level protocols weakness (arp, and so on)
The only attack I am aware of below IP is called an arp poisoning. ARP is the address resolution protocol that hubs/swithes/routers use to find MAC addresses on a network to associate with IPs. The attack works by sending fake arp responses to the router/switch so it will incorrectly route packets to the attacking computer instead of where it is supposed to go. However, this is only effective if the attacker is on the same local network, meaning he's inside your building plugged into your LAN. Also, the attack can end up crashing the router/switch. I think for an outsider to use this, he would have to compromise your firewall or gain control of a computer inside. This is a very sophisticated attack to pull off. Please note, I am not a full time security consultant, but I do manage the firewalls for a couple of clients so I know *something* about security. In my experience, I see many more problems with e-mail viruses and web servers. There are lots of easier ways for people to get your information than to try to penetrate your firewall. Best Regards, Keith -- LPIC-2, MCSE, N+ wielder of vi(m), an ancient, dangerous and powerful magic Don't get lost, show no fear, and you'll be ready for a new frontier -- d.w.
participants (2)
-
Keith Winston
-
Olivier Hislaire