IDS mailing list archives
RE: best ids placement?
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 18 Aug 2003 14:50:20 -0400
Actually, this isn't accurate. Just because an IDS doesn't have a two-way connection on the wire doesn't mean that it cannot be compromised by traffic it monitors. For example, let's say you had box running an older version of snort or tcpdump, with one of the vulnerabilities that were found, hooked up to a wire via a tap. You could theoretically root that box, even if it had no other network connectivity besides that tap. But realistically speaking, an IDS is going to typically have connectivity via another route; otherwise how can you do IP block lookups, googling, etc. to determine more about attacks? Furthermore, besides rooting, what if the attacker merely wanted to knock the IDS offline for a bit...then it becomes a lot more feasible and realistic as an attack. So remember; taps are NOT guarantee against attacks aimed at an IDS. They make the IDS invisible, but it doesn't cost much to squirt a few generic snort/tcpdump/whatever else attacks onto the wire just in case.
-----Original Message----- From: Simon Adlem [mailto:sadlem () fotango com] Sent: Wednesday, August 13, 2003 8:36 AM To: focus-ids () securityfocus com Subject: Re: best ids placement? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 30 Jun 2003 6:42 pm, Brian Laing may quite possibly have written: Hi, Another approach is to use EtherTaps connected to a machine that has no physical connection to the internal network other than the passive connection via the taps. That way, no-one can detect or compromise your IDS as it is not connected to anything other than the taps. We use EtherTaps here with good success. Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/OjCVAEPeBJNaHh0RAktqAJ9PSywtkb3o/qcy5mZjcr+yypnpWACfWJKC VdTw48MrBPIMlDjsnvOqXtM= =Ym0l -----END PGP SIGNATURE----- -------------------------------------------------------------- ------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: best ids placement? Simon Adlem (Aug 14)
- RE: best ids placement? Rob Shein (Aug 19)
- Re: best ids placement? Simon Adlem (Aug 21)
- Re: best ids placement? Joshua Krage (Aug 21)
- RE: best ids placement? Rob Shein (Aug 19)