IDS mailing list archives
Re: IDS Stealth Mode
From: "Kurt Seifried" <bt () seifried org>
Date: Wed, 8 Jan 2003 17:09:17 -0800
Retrying this post after 2 days: A common deployment configuration of Network IDS is to have 2 NICs; Teh monitoring interface in "stealth mode" with no IP and the "management" interface on a trusted internal network. My question is: Has anyone ever exploited the "stealth" interface to traverse networks? Has anyone (else) ever had to defend such a configuration against the argument: "where there's a wire, there's a way" ? r)(0)(m
This happened a few times, but with much older products that had vulnerabilities. A more recent example would be tcpdump, which has numerous flaws in it's protocol decoders that could result in remote code execution, tcpdump crashing, etc. So it is possible, however modern products have gotten a lot better, and most can drop root after binding to the interface/etc which greatly minimizes the risk. I'd also recommend using something like OpenBSD with systrace or Linux with LSM/openwall/whatever to really secure the box since it should really only be running two apps (the IDS, and SSH/whatever remote management you use) thus making it pretty easy to lock down. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- IDS Stealth Mode r)(o)(m (Jan 08)
- Re: IDS Stealth Mode Kurt Seifried (Jan 09)
- Re: IDS Stealth Mode M. Dodge Mumford (Jan 10)
- Re: IDS Stealth Mode Talisker (Jan 11)
- Re: IDS Stealth Mode Dave Mitchell (Jan 11)
- Re: IDS Stealth Mode Matt Harris (Jan 11)
- RE: IDS Stealth Mode Aditya (Jan 12)
- RE: IDS Stealth Mode Brito, Nelson (ISS Brazil) (Jan 21)
- Re: IDS Stealth Mode Matt Simmons (Jan 21)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)
- Re: IDS Stealth Mode Frank Knobbe (Jan 19)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)