Firewall Wizards mailing list archives

Re: detecting multihomed host

From: alexander lind <malte () webstay org>
Date: Sat, 2 Aug 2008 19:10:25 -0700

On Aug 1, 2008, at 10:51 PM, K K wrote:


Finally, repeat the test a third time,  again two at a time, one of
the two always being  the target (W.X.Y.123) and the second being one
of the other 199 active addresses.


Very interesting read. Thank you for laying it out for me.

Now if we pretend you are the attacker that wants to gather thisinformation on my network, could you think of any ways to do it stillif I closed down _all_ services on the machines behind the NAT?




All of the above can be done slowly, over a period of several days,
and from a wide variety of source addresses to evade trivial detection
by IPS or log analysis.  One possibility to mitigate this exposure is
to use higher level proxies instead of a bridging firewall.

Can you elaborate a little bit on what you mean by higher levelproxies please?


(P.S. The term "multihome" usually means a host with multiple NICs,
each one on a different network,  the situation you describe, a host
with many aliases on a single NIC, is a different beast, but I don't
know the best name for it.)

I stand corrected. What if I create virtual interfaces with faked MACaddresses, would you call that multihoming?


Thanks
Alec
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

detecting multihomed host alexander lind (Aug 01)
- Re: detecting multihomed host Marcin Antkiewicz (Aug 04)
  - Re: detecting multihomed host Paul D. Robertson (Aug 04)
- Re: detecting multihomed host K K (Aug 04)
  - Re: detecting multihomed host alexander lind (Aug 04)
    - Re: detecting multihomed host K K (Aug 04)
    - Re: detecting multihomed host alexander lind (Aug 04)
    - Re: detecting multihomed host Chuck Swiger (Aug 04)