Re: tcpdump installation on unix firewall?

[Matt Curtin <cmcurtin () interhack net>]

> > > > > On 27 Aug 1999 15:02:30 +0200, Andreas.Bolatzki () ch danzas com said:

Andreas> Do you consider it an utterly bad idea to install a packet
Andreas> sniffer on a firewall. (HP box running FW-1).

Yes.

You do not want to provide any tools for an attacker who has
compromised your bastion host to use against you.  This is the reason
why bastion hosts are typically "stripped down", having no compilers,
common utilities, or anything that might be of use to attackers.  If
someone does manage to compromise a machine, he'll have enough
difficulty getting it to do anything useful or interesting to him that
you'll (hopefully) have enough time to catch the breach and address
it.  Perhaps by that point, he'll get frustrated and go find some site
with an NT box^H^H^H^H^H^Heasier target.

If you need to find out what's happening, do one of a few things:
 o Get yourself a real sniffer (these can get pricey, so I can see why 
   you might want to avoid that.  Especially if it's a 10Mb network
   where host-based tools are fairly easy to get.)
 o Have a seperate machine on the network that's not so exposed do the 
   sniffing for you
 o Dedicate a host to the job of sniffing, perhaps something along the 
   lines of a Network Flight Recorder, http://www.nfr.net/.

[I have no connection with NFR and don't feel particularly obligated
to plug them because they host the list.  What they have is a tool
that will help you address exactly the problem that you have.]

You can get a research version of NFR to play around with it and see
how it works, but don't try to use that for production.  That would be
naughty.  Go for the full-blown product, which will give you the
support that you'll want.

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/