RE: Host Security

From: Steve Vawter (
Date: 05/10/02

From: Steve Vawter <>
To: "'ash'" <>, "Skokan, Paul" <>
Date: Fri, 10 May 2002 10:04:00 -0700

One suggestion that I recall from a very old paper (either "There Be
Dragons" by Steven M. Bellovin 1992 or "An Evening with Berferd ..." by Bill
Cheswick 1991 (likely *the* original honey pot!)) talk of cutting the
transmit wires on any sensors that you use. I am not sure if this is still
workable on today's switches, but it may be with the right settings on the

Steve Vawter
Zone Labs, Inc.
1060 Howard Street
San Francisco CA 94103
ph 415-341-8323
fax 415-341-8299
cell 510-409-9184
pager 877-933-0549

-----Original Message-----
From: ash []
Sent: Thursday, May 09, 2002 8:40 PM
To: Skokan, Paul
Cc: ''
Subject: Re: Host Security

Skokan, Paul wrote:

>I am running some FreeBSD boxes as various network monitoring hosts. The
hosts have multiple interfaces on them sniffing different network segments.
The hosts have one management interface with an IP address assigned to the
interface and the other ethernet interfaces do not have IP address assigned.
I am wondering if there are any vulnerabilities with having one of these
monitoring interfaces sit on a public network. Can the hosts be hacked at
all on the monitoring interface without an IP address...If so, how?
Thats a really good question. The only way I can see it hapening is if
either the NIC's broadcast any info over the network, a internel user
knowing the MAC addresses and crawling their way in that way, or
possibly scanning for NIC's in promiscous mode.