The Switches Get Stitches crew has been hard at work on quite a few switching projects. Indeed they released a new exploit tool against GE and GarrettCom switches early this morning, after attempting to get a fix for a Denial of Service bug for at least one year according to the team.
Backdoors, authentication bypass, and lack of firmware signing are all fine and good, but we wonder: what can you really do with this kind of access?
It turns out, quite nasty things.
Most end users who are taking a strong defensive stance on their networks are deploying IDS or NSM. Feeding these systems with data requires configuring various managed switches around the network to mirror traffic from switch ports.
One of the configuration questions that comes up with NMS and IDS is, what to mirror? Most switch manufacturers document their SPAN and Mirroring configuration guidelines with a small caveat: if you are mirroring more than one source port to a given destination port, you may end up dropping packets on the mirror (if, for example, all of your sources are saturating a 1Gb link, then the 1Gb mirror port cannot receive data quickly enough to see everything).
So when IDS and NMS systems are deployed, we often set them up like this: