[c-nsp] securing a vrrp setup
Gert Doering
gert at greenie.muc.de
Fri Dec 28 06:02:58 EST 2007
Hi,
On Fri, Dec 28, 2007 at 06:45:29PM +0800, bangky wrote:
> When I read questions like this, I always wonder "yes, someone could
> do this, but for what goal?".
>
> Sorry if the first email wasn't very specific.
> What I'm looking at is securing a VRRP setup within a LAN, and not in a
> WAN envrionment.
>
> What I'm worried about is that by adding a rogue router to the network,
> an attacker would be able to direct traffic through the rogue router,
> thus effectively being able to execute man-in-the-middle attacks, or at
> the very least, sniff packets off the wire.
What sort of "attacker" do you have in mind? Who has access to the network?
If someone has unauthorized access to your network, there are much easier
avenues to steal other people's traffic, like MAC address / ARP spoofing
attacks. To protect against *this* scenario, about the only thing really
effective is 802.1x authentication on *all* LAN ports.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071228/51969f8f/attachment.bin
More information about the cisco-nsp
mailing list