IDS mailing list archives
Re: IDS Stealth Mode
From: "Talisker" <talisker () networkintrusion co uk>
Date: Thu, 9 Jan 2003 08:59:43 -0000
Rom The stealth interface hasn't to my knowledge been exploited but as you say "where there is a wire there's a way". Personally I'd be willing to accept the risk. However, I'm not the owner of the networks I look after, therefore it is not my risk to accept. Sadly those individuals that do own the risk are not always TCP/IP aware, so trying to convince them that an interface is indeed stealthy, especially when an IDS can craft resets and insert them on the same interface is a difficult task. Common Criteria may help convince them that they are dealing with a sound product -hehe ;o) The best way I have found to mitigate the risk is by the use of a network tap, which when inserted inline listens to passing traffic, these are not always a data diode, ie no transmit. Many cannot demonstrate an airgap on the transmit pairs as it is done within the circuitry (I work for some paranoid individuals), and the vendors frequently will not disclose circuit diagrams. A recent issue was with a tap that was configured such that resets could still be sent through the tap, this obviously didn't reduce the risk of a stealthy interface. Though the company concerned provided us with a 2nd example within days where the transmit could be seen with an airgap. Hope this helps take care -andy Taliskers Network Security Tools http://www.networkintrusion.co.uk ----- Original Message ----- From: "r)(o)(m" <nom.de.guerre () bonbon net> To: <focus-ids () securityfocus com> Sent: Wednesday, January 08, 2003 2:39 PM Subject: IDS Stealth Mode
Retrying this post after 2 days: A common deployment configuration of Network IDS is to have 2 NICs; Teh monitoring interface in "stealth mode" with no IP and the "management" interface on a trusted internal network. My question is: Has anyone ever exploited the "stealth" interface to traverse networks? Has anyone (else) ever had to defend such a configuration against the argument: "where there's a wire, there's a way" ? r)(0)(m
Current thread:
- IDS Stealth Mode r)(o)(m (Jan 08)
- Re: IDS Stealth Mode Kurt Seifried (Jan 09)
- Re: IDS Stealth Mode M. Dodge Mumford (Jan 10)
- Re: IDS Stealth Mode Talisker (Jan 11)
- Re: IDS Stealth Mode Dave Mitchell (Jan 11)
- Re: IDS Stealth Mode Matt Harris (Jan 11)
- RE: IDS Stealth Mode Aditya (Jan 12)
- RE: IDS Stealth Mode Brito, Nelson (ISS Brazil) (Jan 21)
- Re: IDS Stealth Mode Matt Simmons (Jan 21)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)
- Re: IDS Stealth Mode Frank Knobbe (Jan 19)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)