Re: Theory Question

From: John Howie (JHowie@msn.com)
Date: 04/08/01 

From: "John Howie" <JHowie@msn.com>
To: "James Wyatt" <jwyatt@rwsystems.net>, <freebsd-security@freebsd.org>
Date: Sun, 8 Apr 2001 02:22:12 -0700

----- Original Message -----
From: "James Wyatt" <jwyatt@rwsystems.net>
To: "John Howie" <JHowie@msn.com>
Cc: "Jacques A. Vidrine" <n@nectar.com>; "Crist Clark"
<crist.clark@globalstar.com>; <lee@kechara.net>;
<freebsd-security@FreeBSD.ORG>
Sent: Saturday, April 07, 2001 8:16 PM
Subject: Re: Theory Question

> If you have a large network to protect, maintaining a separate monitoring
> network for out-of-band control (of the main network which is subject to
> attack) can be pretty costly. I've seen VLANs suggested for large outfits,
> but that can be attacked at the switch level. You can use voice channels
> and PPP over serial, but filter the heck out of it and don't set a default
> route. At some point you will have to network to your IDS box if you want
> much functionality from it. If you simply have the box set to log out the
> serial port, it can be easily overrun (DoSed) if you have a good net
> connection.
>

James,

I have had so many people suggest VLANs as an acceptable security solution
that it makes me wonder... Is there someone out there (presumably a hacker)
pushing them? I agree with you, they are not secure. That is why I always
push for a separate physical network. And I always say that if it should
ever be compromised you just blow it away and reconstruct it. In fact, I use
the term "Victim Network" to describe an IDS/monitoring network.

john...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)
  • RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
    ... The technology sounds interesting but I have doubts regarding the ... If I for example scan for port 80, ... How do you deal with real network problems that prevent legitimate ... put the product in alert mode waiting for an attack? ...
    (Focus-IDS)
  • Re: Emergency HT for non HAM?
    ... Even if there is no chance of them being in the attack itself, ... We have 3 1/2 cell phone carriers here, one runs a mixed AMPS CDMA network, ... Ham radio still works. ... and communicate when everything you think is normal stops working. ...
    (rec.radio.amateur.equipment)