On Fri, Mar 01, 2002 at 05:25:09PM +0100, Olivier Hislaire wrote:
- he claims most of the attack today occur below IP (I am unsure of this),
- he claims my DMZ (ethernet) can be reached by encapsulating ethernet frames within an IP packet and that
- using this way (or another ?) it is easy to attack my hosts using low-level protocols weakness (arp, and so on)
The only attack I am aware of below IP is called an arp poisoning. ARP is the address resolution protocol that hubs/swithes/routers use to find MAC addresses on a network to associate with IPs. The attack works by sending fake arp responses to the router/switch so it will incorrectly route packets to the attacking computer instead of where it is supposed to go. However, this is only effective if the attacker is on the same local network, meaning he's inside your building plugged into your LAN. Also, the attack can end up crashing the router/switch. I think for an outsider to use this, he would have to compromise your firewall or gain control of a computer inside. This is a very sophisticated attack to pull off. Please note, I am not a full time security consultant, but I do manage the firewalls for a couple of clients so I know *something* about security. In my experience, I see many more problems with e-mail viruses and web servers. There are lots of easier ways for people to get your information than to try to penetrate your firewall. Best Regards, Keith -- LPIC-2, MCSE, N+ wielder of vi(m), an ancient, dangerous and powerful magic Don't get lost, show no fear, and you'll be ready for a new frontier -- d.w.