Re: Firewall and IDS, (the second way).

["Zow" Terry Brugger <zow () llnl gov>]

> Then you also have to consider the so called Stealth mode, which is more
> typical of a hubbed (perhaps smaller) environments, where no IP address is
> assigned to the interface, this makes it non addressable but still available
> for promiscious mode hence IDS. In this mode the device should not respond
> to probing such as crafted multicast packets, and as its interface is not
> defined it would also not know its nameserver addresses so not attempt DNS
> queries.

You know, I was just thinking about this some more: is there any way (assuming 
that you have sufficient access to a given LAN) to illicit a response from an 
Ethernet device directly, regardless of what higher level protocols may or may 
not be bound to it? I mean, every Ethernet interface has a unique address, and 
there are at least protocols to map IPs to those addresses (ARP) and back 
(RARP), so is there anyway that you could maybe generate an invalid Ethernet 
frame, send it to some Ethernet address and get a response? Granted, I doubt 
this'll be much use in mapping networks blindly though, as the space for MAC 
addresses is huge, and can be easily defended against by snipping the transmit 
wire on the incoming Ethernet cable (ignoring the convolutions that must be 
done along with that).

-"Zow"

use standardDisclaimer