IDS mailing list archives
Re: best ids placement?
From: Simon Adlem <sadlem () fotango com>
Date: Tue, 19 Aug 2003 10:56:56 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 18 Aug 2003 7:50 pm, Rob Shein may quite possibly have written:
Actually, this isn't accurate. Just because an IDS doesn't have a two-way connection on the wire doesn't mean that it cannot be compromised by traffic it monitors. For example, let's say you had box running an older version of snort or tcpdump, with one of the vulnerabilities that were found, hooked up to a wire via a tap. You could theoretically root that box, even if it had no other network connectivity besides that tap. But realistically speaking, an IDS is going to typically have connectivity via another route; otherwise how can you do IP block lookups, googling, etc. to determine more about attacks? Furthermore, besides rooting, what if the attacker merely wanted to knock the IDS offline for a bit...then it becomes a lot more feasible and realistic as an attack. So remember; taps are NOT guarantee against attacks aimed at an IDS. They make the IDS invisible, but it doesn't cost much to squirt a few generic snort/tcpdump/whatever else attacks onto the wire just in case.
HI Rob, Thanks for your comments. Interesting points there. Agreed that it's not a complete solution and the IDS can still be affected however, other than the DOS scenario that you mention, we find that the taps do make it harder, to detect and attack the IDS than if it was connected straight to the wire. I don't tend to use the IDS box for googling, lookups etc. anyway. The IDS is a Linux box that just sits and does it thing and I do further analysis on my workstation. Take care Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/QfRoAEPeBJNaHh0RAra3AJ9vuKCbT6G5nXH+7RFcGpExGi2g5QCdEhKT 9wyMHr3t+3n/zhS9NuV5G4M= =2VSF -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- Re: best ids placement? Simon Adlem (Aug 14)
- RE: best ids placement? Rob Shein (Aug 19)
- Re: best ids placement? Simon Adlem (Aug 21)
- Re: best ids placement? Joshua Krage (Aug 21)
- RE: best ids placement? Rob Shein (Aug 19)