<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
what if I compromised a host on the same switch as the servers and
used ARP spoofing or overflowed the CAM table, or any other number
of L2 attacks to then sniff your unencrypted data?<br>
<br>
I have compromised many lower "importance" hosts and then pivoted
inward and pcapped $sensitive_data because admins don't understand
the idea of layered defense.<br>
<br>
PCI is generally bullshit, but on this point, your auditor is right.<br>
<br>
and if you're going to implement TLS between the servers, please,
use PFS.<br>
<br>
<div class="moz-cite-prefix">On 12/10/2013 7:45 PM, Brian Mathis
wrote:<br>
</div>
<blockquote
cite="mid:CALKwpEzxSbOzW8_Ckwywv8d-L01tfwaR=5gWwhqDjyWeSLOnFw@mail.gmail.com"
type="cite">
<div dir="ltr">If the local switch was compromised and placed into
monitor mode, then a 3rd party could sniff the traffic, but now
you're talking some really specific case. It's generally
considered secure to have one server talk to another over a
local switch, otherwise things like NFS and databases would be a
huge pain, if not impossible to use. <br>
<div>
<div><br>
</div>
<div>However, which do you consider more of a threat? The
overhead of switching to HTTPS, or an auditor who fails you
on an audit? Maybe you would pick the former, but I'm sure
your business would pick the latter. Keeping auditors happy
is just as important as "real" work.<br>
<br>
</div>
<div>
<div>
<div class="gmail_extra"><br clear="all">
<div>❧ Brian Mathis</div>
<br>
<br>
<div class="gmail_quote">On Tue, Dec 10, 2013 at 5:42
PM, Neal Rhodes <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:neal@mnopltd.com" target="_blank">neal@mnopltd.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
I hear that. But two servers, same rack, plugged
into the same switch, on the same LAN, will not
hit their gateway router - they will ARP to find
each other, and talk through the switch, and you
ain't gonna see any of that, even if you managed
to plug into the data center switch. Correct? <br>
<br>
We're playing a little devil's advocate here,
trying to decide if we're looking at securing
against a realistic threat or just keeping the
auditors happy. <br>
<div>
<div class="h5">
<br>
On Tue, 2013-12-10 at 17:02 -0500, JD wrote:
<blockquote type="CITE">
<pre>If 2 locations are connected through public internet, don't trust it. There are
routing attacks which have been known for years and I suspect any 2 sites using
HTTP or HTTPS connections in that way will be unlikely to be monitoring network
performance at much detail.
Servers should be on a different subnet and fire walled from desktops even in
the same location.
Can't recall where I saw a recent article about this, but routing has both
accidentally and with clear purpose caused traffic to be sent very far away from
expected places. Recall when all youtube traffic was sent through Pakistan
"accidentally"? I am positive that could be done between two corporate locations
using the internet for connections too.
IPSec. Not sure I'd trust anything less.
On 12/10/2013 02:08 PM, Neal Rhodes wrote:
> So, picture two servers which talk to each other within a corporate LAN/WAN in a
> data center, and worker bees in an office location elsewhere in the same city,
> who only have hard-wired LAN access, and assume they have IP connectivity to the
> data center.
>
> And picture that these two servers have an unsecured http protocol they talk over.
>
> And picture a worker bee with too much time on their hands and the intent to
> hijack this.
>
> If said worker bee managed to get WireShark or similar installed on their
> workstation, they could sniff whatever that hard Cat5 cable can see. Which,
> assuming it is connected to a switch, not an old-fashioned hub, is pretty much
> zilch. Basically their own traffic.
>
> They can't see most traffic to/from the guy in the next cubicle to the servers,
> because the switch doesn't normally let them see it. For performance reasons,
> it isolates each LAN port. They can't see any of the server-server packets,
> because the two routers in between behave like switches, not hubs, and don't
> route local server-server traffic.
>
> So, assuming that Wifi is not available, it seems like the LAN sniffer attack
> vector based on seeing what is happening is pretty much moot. That is not to
> say that actively probing isn't rewarding.
>
> Let's take it one step farther: presume that it is trivial for these two servers
> to switch from talking <a class="moz-txt-link-freetext" href="http:80">http:80</a> to each other and start talking <a class="moz-txt-link-freetext" href="https:443">https:443</a> to each
> other. From the perspective above, this is a negligible practical
> improvement. It only gets interesting if we imagine someone able to get onto
> the local LAN in the data center. But even then, presuming that is also a
> switch, they ain't gonna see spit.
>
> Let's take it one step farther: assume that they could in fact compromise the
> data center switch, and capture a pile of the https traffic between servers.
> Would we logically assume that given today's technology that they could manage
> to decrypt it with enough CPU and time?
>
> Thoughts?
>
> Neal Rhodes
> MNOP Ltd
>
>
_______________________________________________
Ale mailing list
<a moz-do-not-send="true" href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a>
<a moz-do-not-send="true" href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a moz-do-not-send="true" href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo"
target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
</body>
</html>