Firewall Wizards mailing list archives

RE: tcpdump on my firewall

From: "Ames, Neil" <NAmes () anteon com>
Date: Fri, 26 Oct 2001 13:18:14 -0400

Three things come to mind:  
1) What do the security policy, security guidelines, or security procedures
for your site say should or should not be on your firewall?
2) You want as little running on your firewall as possible.  The more code
that you have running on it the more vulnerable you are.
3) You can run tcpdump on another machine.  Dredge up a machine that nobody
wants on their desktop.  Get two while you're at it-so that you can watch
both sides of your firewall...

Thank you,

Fritz Ames

-----Original Message-----
From: Jose Nazario [mailto:jose () biocserver BIOC cwru edu]
Sent: Friday, October 26, 2001 11:52 AM
To: hesselsp () ashaman dhs org
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] tcpdump on my firewall

On Thu, 25 Oct 2001 hesselsp () ashaman dhs org wrote:

I have had a request to put tcpdump on our firewall by one of our tech
guys.

I have told him that I will not do so, and he wants a good reason why.


a) tcpdump has had root exploits in the past, they will probably come back
up again:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump

use the cve and bigtraq databases. they are your friends in such a time.

b) performance. tcpdump slows down packet processing, among other things,
and on a router/gateway thats a noticable hit.

suggestion: throw a switch in there and use the reflector port to monitor
stuff with a laptop. if you are worried about the laptop getting
compromised while sniffing use tcpdump at layer two. on (at least OpenBSD)
ifconfig ep1 up (note no address given) and start tcpdump -ni ep1 ....
works like a champ.

i hope this helps.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: tcpdump on my firewall, (continued)
- Re: tcpdump on my firewall Frederick M Avolio (Oct 26)
  - Re: tcpdump on my firewall Chad Schieken (Oct 27)
    - RE: Re: tcpdump on my firewall hesselsp (Oct 28)
    - RE: Re: tcpdump on my firewall R. DuFresne (Oct 28)
    - RE: Re: tcpdump on my firewall hesselsp (Oct 28)
- Re: tcpdump on my firewall Greg Poirier (Oct 26)
  - Re: tcpdump on my firewall hermit1 (Oct 27)
- Re: [fw-wiz] tcpdump on my firewall Skip Frizzell (Oct 27)
- Re: tcpdump on my firewall roel (Oct 27)
  - Re: tcpdump on my firewall Barney Wolff (Oct 28)
- RE: tcpdump on my firewall Ames, Neil (Oct 26)
- RE: tcpdump on my firewall J B (Oct 27)
- Re: tcpdump on my firewall Matthew Jach (Oct 29)
- Re: tcpdump on my firewall Brian Ford (Oct 31)