Firewall Wizards mailing list archives
RE: tcpdump on my firewall
From: "Ames, Neil" <NAmes () anteon com>
Date: Fri, 26 Oct 2001 13:18:14 -0400
Three things come to mind: 1) What do the security policy, security guidelines, or security procedures for your site say should or should not be on your firewall? 2) You want as little running on your firewall as possible. The more code that you have running on it the more vulnerable you are. 3) You can run tcpdump on another machine. Dredge up a machine that nobody wants on their desktop. Get two while you're at it-so that you can watch both sides of your firewall... Thank you, Fritz Ames -----Original Message----- From: Jose Nazario [mailto:jose () biocserver BIOC cwru edu] Sent: Friday, October 26, 2001 11:52 AM To: hesselsp () ashaman dhs org Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] tcpdump on my firewall On Thu, 25 Oct 2001 hesselsp () ashaman dhs org wrote:
I have had a request to put tcpdump on our firewall by one of our tech guys.
I have told him that I will not do so, and he wants a good reason why.
a) tcpdump has had root exploits in the past, they will probably come back up again: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump use the cve and bigtraq databases. they are your friends in such a time. b) performance. tcpdump slows down packet processing, among other things, and on a router/gateway thats a noticable hit. suggestion: throw a switch in there and use the reflector port to monitor stuff with a laptop. if you are worried about the laptop getting compromised while sniffing use tcpdump at layer two. on (at least OpenBSD) ifconfig ep1 up (note no address given) and start tcpdump -ni ep1 .... works like a champ. i hope this helps. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tcpdump on my firewall, (continued)
- Re: tcpdump on my firewall Frederick M Avolio (Oct 26)
- Re: tcpdump on my firewall Chad Schieken (Oct 27)
- RE: Re: tcpdump on my firewall hesselsp (Oct 28)
- RE: Re: tcpdump on my firewall R. DuFresne (Oct 28)
- RE: Re: tcpdump on my firewall hesselsp (Oct 28)
- Re: tcpdump on my firewall Chad Schieken (Oct 27)
- Re: tcpdump on my firewall Frederick M Avolio (Oct 26)
- Re: tcpdump on my firewall hermit1 (Oct 27)
- Re: tcpdump on my firewall Barney Wolff (Oct 28)