[c-nsp] securing a vrrp setup
bangky
mailinglist at bangky.net
Fri Dec 28 05:45:29 EST 2007
Hi Gert,
Thanks for the prompt reply.
When I read questions like this, I always wonder "yes, someone could
do this, but for what goal?".
Sorry if the first email wasn't very specific.
What I'm looking at is securing a VRRP setup within a LAN, and not in a
WAN envrionment.
What I'm worried about is that by adding a rogue router to the network,
an attacker would be able to direct traffic through the rogue router,
thus effectively being able to execute man-in-the-middle attacks, or at
the very least, sniff packets off the wire. I understand that
implementing some form of NAC would be able to stop the rogue router
however due to prohibitively high costs of implementing NAC, I would
like to seek other solutions to this problem.
Thanks once again for your kind reply and hopefully this makes the
situation a little clearer.
--
bangky
Gert Doering wrote:
> Hi,
>
> On Fri, Dec 28, 2007 at 05:13:55PM +0800, bangky wrote:
>
>> I am looking into how to secure a VRRP setup.
>> Could someone please let me know whether it's possible to prevent a
>> rouge router from taking over as the VRRP master?
>>
>
> When I read questions like this, I always wonder "yes, someone could
> do this, but for what goal?".
>
> When we do VRRP setups towards our customers, the only person that
> would be able to do VRRP spoofing is the customer itself (only one
> customer per L3 segment) - and all they could achieve is "drop themselves
> off the network", for which there are easier means ("unplug their
> ethernet cable").
>
> If you put different customers into the same L3 segment, there are other
> fun ways that one of them can do mischief, like "use an IP address that
> belongs to another customer", "ARP spoofing" (to sniff/interject traffic),
> etc.
>
> gert
>
More information about the cisco-nsp
mailing list