Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump on my firewall

From: Chad Schieken <cschieken () lucent com>
Date: Fri, 26 Oct 2001 15:25:12 -0400
I agree with Fred that this is a policy issue, but I also see a few other view points:
1. this is an invaluable troubleshooting tool. It's helped me develop a detailed understanding of poorly documented transactions/protocols in many situations.
2. The risk of having the software on the box, can be mitigated pretty well. File permissions can be setup so only root can execute (or even read) tcpdump. Also permissions can be created on the devices to restrict access as well -- although that's a complicated step with lot's of implications. Buffer overflow exploits aside, other similar steps can be taken, such that it boils down to the only if some one has root access *before* they can run tcpdump. :
I'm not trying to downplay the risks of the buffer overflow exploits, but that risk is minimized by only running TCP for short periods to do specific tasks. The window of exposure in this case can be quite managable.
3. in some environments it's alot easier to do this type of sniffing using tcpdump, vs. installing dedicated sniffers in the network.
All of this begs the question, to the original poster -- why did you reject the request in the first place? Certainly the case can be made either way, and every environment is different. 



At 12:57 PM 10/26/2001, Frederick M Avolio wrote:

At 02:51 PM 10/25/01 -0400, hesselsp () ashaman dhs org wrote:

Anyone want to help me out here?

I have had a request to put tcpdump on our firewall by one of our tech
guys.

I have told him that I will not do so, and he wants a good reason why.


HE wants a good reason why? HE?
Your security policy should cover this (and probably doesn't). Everything you add on a firewall makes it more complex. Complexity and security are inversly proportional. But wait! He doesn't have a user account on the firewall does he? No one should except the firewall admin, and that should be tightly controlled. The good reason is you don't add things on the firewall unless there is no other way to do what needs to be done, and then only if it is a business requirement (not a desire).
Push right back and ask him for a requirement not a solution. What does he want to do? He probably wants to monitor packets on the outside network (or maybe on both). I can think of more than one way to accomplish this that doesn't require putting anything new on the firewall. 


Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: