Re: Network cables as security devices

[Kevin Steves <stevesk () sweden hp com>]

[old thread, I know..]

On Thu, 27 Aug 1998, Dominique Brezinski wrote:
: This is not an answer to the original question, but rather a different
: approach to the same problem (though more expensive). Another approach is
: to build a second logging network. All machines that need to be logged get
: a second Ethernet interface. Give the logging machine and all the second
: interfaces reserved addresses (10. or 192.168 etc.) and hook them up to a
: hub. Make sure the machines generating the audit data are not routing to
: the logging network, and harden the logging machine to point where the only
: port listening is the logging service (syslog or whatever).

I've thought of doing this, and it may make sense in certain topologies,
but I would be extremely wary about using this approach in a layered
perimiter architecture, as it could permit an attacker to bypass chunks
of the perimeter.  For example, if you have border<->gw0<->gw1<->choke
in series, and they're all tied to a shared logging net, a compromise of
border may be used to bypass gw0 and gw1 to get to choke.

It's not entirely clear if this is what you were proposing, but I wanted
to point it out.  As always, the devil is in the details.