Firewall Wizards mailing list archives
Re: tcpdump installation on unix firewall?
From: Matt Curtin <cmcurtin () interhack net>
Date: 28 Aug 1999 17:38:16 -0400
On 27 Aug 1999 15:02:30 +0200, Andreas.Bolatzki () ch danzas com said:
Andreas> Do you consider it an utterly bad idea to install a packet Andreas> sniffer on a firewall. (HP box running FW-1). Yes. You do not want to provide any tools for an attacker who has compromised your bastion host to use against you. This is the reason why bastion hosts are typically "stripped down", having no compilers, common utilities, or anything that might be of use to attackers. If someone does manage to compromise a machine, he'll have enough difficulty getting it to do anything useful or interesting to him that you'll (hopefully) have enough time to catch the breach and address it. Perhaps by that point, he'll get frustrated and go find some site with an NT box^H^H^H^H^H^Heasier target. If you need to find out what's happening, do one of a few things: o Get yourself a real sniffer (these can get pricey, so I can see why you might want to avoid that. Especially if it's a 10Mb network where host-based tools are fairly easy to get.) o Have a seperate machine on the network that's not so exposed do the sniffing for you o Dedicate a host to the job of sniffing, perhaps something along the lines of a Network Flight Recorder, http://www.nfr.net/. [I have no connection with NFR and don't feel particularly obligated to plug them because they host the list. What they have is a tool that will help you address exactly the problem that you have.] You can get a research version of NFR to play around with it and see how it works, but don't try to use that for production. That would be naughty. Go for the full-blown product, which will give you the support that you'll want. -- Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/
Current thread:
- tcpdump installation on unix firewall? Andreas . Bolatzki (Aug 27)
- Re: tcpdump installation on unix firewall? Matt Curtin (Aug 30)
- Re: tcpdump installation on unix firewall? Siglite (Aug 30)
- <Possible follow-ups>
- Re: tcpdump installation on unix firewall? Robert Graham (Aug 30)
- Re: tcpdump installation on unix firewall? Lance Spitzner (Aug 31)
- Re: tcpdump installation on unix firewall? Peter J. Cherny (Aug 30)
- RE: tcpdump installation on unix firewall? jan . schultheiss (Aug 30)
- RE: tcpdump installation on unix firewall? Mason Begley (Aug 31)