On Tue, 31 Jul 2001 13:45:33 PDT, Dan Hollis said:
Hmmm, how about I lockdown all MAC addresses on switch ports and configure port IP filters and set the switch so filter violations automatically disable your port?
I'd love to do this to our users. I've suggested it. I was promptly told that if implemented, I'd be the guy answering the phone each time one of our 30K users replaced an Ethernet card or moved a computer across a room and plugged it into another "Known Working" portal. ;) However, we *do* dump the ARP caches on every switch every 5 minutes and keep a database on every time we see a change on a port. Good thing disk space is cheap, we've got the data going back to <when the heck did managed switches/hubs hit the markend>. No, it's not as secure - but I'd like to get work done once in a while too. ;) You want *security*? I'm surprised nobody has suggested running cable in pressurized conduit - I fully believe some paranoid TLA's use 400PSI and a pressure-drop alarm as a deterrent. I keep hearing rumors that involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;) The rest of us need to balance security against getting work done. Sure, there's MIM attacks against SSH. On the other hand, I'm pretty sure that if somebody talented enough that they can man-in-middle an SSH session *without* me seeing a "host key has changed" message decides to attack me, there isn't much I'll be able to do to stop him anyhow. On the other hand, I need to smack the admins of the 48 machines of ours that got CodeRed'ed. Guess which is considered more important by our management, smacking the CodeRed machines, or worrying about SSH holes? ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech