Re: securing nic's for snort
From: Stephen Samuel (samuel@bcgreen.com)Date: 05/29/02
- Previous message: Stephen Samuel: "Re: Linux Hardening"
- In reply to: Renaud, Andre: "RE: securing nic's for snort"
- Next in thread: Patrick Morris: "Re: securing nic's for snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 May 2002 02:30:25 -0700 From: Stephen Samuel <samuel@bcgreen.com> To: "Renaud, Andre" <Andre.Renaud@hp.com>, focus-linux@securityfocus.com
If you wish to have the card be semi-stealth, but still be reachable
over the net (it'd be better, for 'real' hardening, if you left it
non-IP), then you can give it a 'private' non-used address
in another subnet (say, 192.168.251.225/30 ). The corresponding
address (192.168.251.226/30 ) would belong to your 'controlling'
machine (probably on eth0:1).
Only two address can fit into a /30 subnet, so if your box
doesn't route to it, it should be pretty hard for someone else
to talk to it. Someone else snooping on the net could still
see the packets between the machines and, thus, know about
the existence of your snort box, but they should have a
hard time talking to it without your permission.
BTW: On Linux, you can apparently remove a card's IP address
by giving it an address of '0'.
Renaud, Andre wrote:
> One of the easiest ways is to simply not give the card an IP address,
> it can still go into promiscuous mode, and works fine under snort
....
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life.
- Previous message: Stephen Samuel: "Re: Linux Hardening"
- In reply to: Renaud, Andre: "RE: securing nic's for snort"
- Next in thread: Patrick Morris: "Re: securing nic's for snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
