Re: IDS Stealth Mode

[Matt Harris <mdh () unix si edu>]

"r)(o)(m" wrote:
> My question is:
> Has anyone ever exploited the "stealth" interface to traverse networks?
> Has anyone (else) ever had to defend such a configuration against the
> argument:
> "where there's a wire, there's a way"

The only thing that I can think of offhand from a purely
architectural/theoretical standpoint (and not one of ever having tested
this actively myself or seen any exploits of it) is that if there were a
bug in the NIDS software itself (particularly the pieces which examine
packets that it sees) or the IP stack of the system that could be
exploited simply by it seeing a packet on an interface which caused it
to go haywire, it may be possible.  If this were possible, then it could
be possible to do something like shutdown the IDS, or make it otherwise
accessible (by configuring an IP address on the shadow interface) or
somesuch.  That said, after extensive research on this particular issue,
I never found a single exploit that would make use of such a bug. 
However, given the fact that IIRC, tcpdump has had issues in the past as
have a few IP stacks on various systems, it may be possible.  But no one
as far as I can see has ever used it in this way to bring down a NIDS.  
Just remember, no technology is ever going to be perfect, because
there's always someone writing the code, and people are inherently
imperfect.  Find something that suits your needs, does what you want,
and is at the very least vigilant about any issues that haven arisen in
the past, and you'll be doing as well as any equally dedicated NIDS
manager.  :-)
That said, it may also help to try and understand the technology you
choose to use, or make friends with people who do and learn.  

-- 
/*
 *
 * Matt Harris - Senior UNIX Systems Engineer
 * Smithsonian Institution, OCIO
 *
 */