Re: IDS Stealth Mode

[Matt Simmons <matts () wirefire com>]

-----BEGIN PGP SIGNED MESSAGE-----

I remember that a while back, I read an article on a way to clip the transmit 
wires, or place a capacitor in line with them, which mucks up the signal and 
effectivly takes away the wire. The weakness in the situation that you 
provided would be in the secure network, and physical access to the box, 
imho.  I did a quick search of google of stealth ethernet, there might be 
something more elegant out there. It seems pretty rough:

http://web.cuzuco.com/~cuzuco/stealth/

Good luck..
Matt Simmons
security () wirefire com

On Wednesday 08 January 2003 09:39 am, you wrote:
> Retrying this post after 2 days:
> A common deployment configuration of Network IDS is to have 2 NICs;
> Teh monitoring interface in "stealth mode" with no IP
> and
> the "management" interface on a trusted internal network.
>
> My question is:
> Has anyone ever exploited the "stealth" interface to traverse networks?
> Has anyone (else) ever had to defend such a configuration against the
> argument:
> "where there's a wire, there's a way"
> ?
> r)(0)(m

- -- 
 "Sometimes I lie awake at night, and I ask, 'Where have I gone wrong?' 
Then a voice says to me, 'This is going to take more than one night.' "
- --- Charlie Brown

- -----BEGIN GEEK CODE BLOCK-----
Version: 3.1 http://www.ebb.org/ungeek/
GCS/IT/CC d-- s++ a-- C---(++++)$ UL+++ P(!)+ L+++
W+(--) N+ w--- M+ V- PS+ PE Y++ PGP++ t++>+ 5- X+ R-
tv-->! b+++ DI++ D+++ G++ e h-(*) r--(*) y+(--)
 ------END GEEK CODE BLOCK------



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPh19sz4Dew3a4ModAQGZagf6AlfYBk9SkVllh1bgJfwZIf3egfqbz0kp
fvnrb6xcGZmgyf/bwiRphrj+piuMRLetVh2zKAtMe4lF1f1h1EO14mphGzXFWap2
s4eDg2fDHdfP11ooGA7r2/0oOz8+QnhYcfbp6vwCxeguSDNOYAMZvCubcoxgFoQf
KXySQmwTmCrpC3xqZfeRkZuPRHH1iAwMeV+icTVzHPi1zJx/7COat/zNDsaFcHlN
kuhzBTCIJEMwsbrED8o/F+lFpO9EGMSdrQQmeoheJPfUU3cmYwizdyxnhEOicEqR
bBAHEokiNQgCBiBa09PHRisvMBuJ/0oDm/gkQMusdP7AtQYy4uBXPw==
=Dt90
-----END PGP SIGNATURE-----