Re: best ids placement?
From: Simon Adlem (sadlem_at_fotango.com)
Date: 08/19/03
- Previous message: Rob Shein: "RE: best ids placement?"
- In reply to: Rob Shein: "RE: best ids placement?"
- Next in thread: Joshua Krage: "Re: best ids placement?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Rob Shein" <shoten@starpower.net>, <focus-ids@securityfocus.com> Date: Tue, 19 Aug 2003 10:56:56 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 18 Aug 2003 7:50 pm, Rob Shein may quite possibly have written:
> Actually, this isn't accurate. Just because an IDS doesn't have a two-way
> connection on the wire doesn't mean that it cannot be compromised by
> traffic it monitors. For example, let's say you had box running an older
> version of snort or tcpdump, with one of the vulnerabilities that were
> found, hooked up to a wire via a tap. You could theoretically root that
> box, even if it had no other network connectivity besides that tap. But
> realistically speaking, an IDS is going to typically have connectivity via
> another route; otherwise how can you do IP block lookups, googling, etc. to
> determine more about attacks? Furthermore, besides rooting, what if the
> attacker merely wanted to knock the IDS offline for a bit...then it becomes
> a lot more feasible and realistic as an attack. So remember; taps are NOT
> guarantee against attacks aimed at an IDS. They make the IDS invisible,
> but it doesn't cost much to squirt a few generic snort/tcpdump/whatever
> else attacks onto the wire just in case.
HI Rob,
Thanks for your comments.
Interesting points there.
Agreed that it's not a complete solution and the IDS can still be affected
however, other than the DOS scenario that you mention, we find that the taps
do make it harder, to detect and attack the IDS than if it was connected
straight to the wire.
I don't tend to use the IDS box for googling, lookups etc. anyway. The IDS is
a Linux box that just sits and does it thing and I do further analysis on my
workstation.
Take care
Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/QfRoAEPeBJNaHh0RAra3AJ9vuKCbT6G5nXH+7RFcGpExGi2g5QCdEhKT
9wyMHr3t+3n/zhS9NuV5G4M=
=2VSF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: best ids placement?"
- In reply to: Rob Shein: "RE: best ids placement?"
- Next in thread: Joshua Krage: "Re: best ids placement?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
