Re: IDS Stealth Mode

From: Kurt Seifried (bt@seifried.org)
Date: 01/09/03

  • Next message: Graham Field: "RE: Intrusion Prevention"
    From: "Kurt Seifried" <bt@seifried.org>
    To: "r)(o)(m" <nom.de.guerre@bonbon.net>, <focus-ids@securityfocus.com>
    Date: Wed, 8 Jan 2003 17:09:17 -0800
    
    

    > Retrying this post after 2 days:
    > A common deployment configuration of Network IDS is to have 2 NICs;
    > Teh monitoring interface in "stealth mode" with no IP
    > and
    > the "management" interface on a trusted internal network.
    >
    > My question is:
    > Has anyone ever exploited the "stealth" interface to traverse networks?
    > Has anyone (else) ever had to defend such a configuration against the
    > argument:
    > "where there's a wire, there's a way"
    > ?
    > r)(0)(m

    This happened a few times, but with much older products that had
    vulnerabilities. A more recent example would be tcpdump, which has numerous
    flaws in it's protocol decoders that could result in remote code execution,
    tcpdump crashing, etc. So it is possible, however modern products have
    gotten a lot better, and most can drop root after binding to the
    interface/etc which greatly minimizes the risk. I'd also recommend using
    something like OpenBSD with systrace or Linux with LSM/openwall/whatever to
    really secure the box since it should really only be running two apps (the
    IDS, and SSH/whatever remote management you use) thus making it pretty easy
    to lock down.

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/



    Relevant Pages

    • [PATCH 1/1] IPN: Inter Process Networking
      ... +IPN is an Inter Process Communication service. ... +interface and protocols used for networking. ... +to a "network". ... +creates a communication socket. ...
      (Linux-Kernel)
    • Re: [PATCH 1/1] IPN: Inter Process Networking
      ... +IPN is an Inter Process Communication service. ... +interface and protocols used for networking. ... +to a "network". ... +creates a communication socket. ...
      (Linux-Kernel)
    • Re: Publish Web Server behind SBS 2003 Standard
      ... Microsoft CSS Online Newsgroup Support ... When opening a new thread via the web interface, ... |> Method 2: Different ports ... |> "Network Connection". ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN Error 800
      ... In SBS network, we only support one or two interfaces. ... We have a workaround for your condition: disable perimeter interface, ... then enable perimeter interface. ...
      (microsoft.public.windows.server.sbs)
    • Re: "Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client o
      ... by going into network properties Control ... :: the blank records for the external interface for both the domain ... :: Kevin D4 Dad Goodknecht Sr. ... Did you create the Blank Host for the private IP of the NIC that has file ...
      (microsoft.public.win2000.dns)