IDS mailing list archives
Re: IDS Stealth Mode
From: Dave Mitchell <dmitchell () viawest net>
Date: Thu, 9 Jan 2003 08:30:58 -0700
Theoretically speaking, having a MAC address and a wire, you could be able to somehow pass traffic through the IDS into your management network. More than likely a device above the IDS would have to be compromised in order to give the attacker access to the same L2 broadcast domain so that they could launch ethernet attacks on the IDS. There are a few things you can do in order to mitigate risk. 1. Have your management interface terminate on a "DMZ" or other type of restricted network, so if for some reason the box was compromised, the attacker wouldn't have free reign on your inside net. 2. Restrict the port mirror on the sniffer interface to only allow ingress frames, and only allow it to mirror frames destined for other ports, and not its port. This would negate the ability of someone to pass frames to your sniffer MAC, and prevent that interface from transmitting frames, whether it be ARPs or whatever. You can also apply L2 access lists to be even more secure. 3. Depending on which IDS you have, make sure you have IP forwarding disabled from within the box itself. If you are really paranoid like myself, have the management interface terminate on a VLAN that can be inspected by a firewall. Restrict inbound traffic from the management interface to necessities, and you should be as secure as you can make it. Just my $.02. -dave On Wed, Jan 08, 2003 at 08:39:55AM -0600, r)(o)(m wrote:
Retrying this post after 2 days: A common deployment configuration of Network IDS is to have 2 NICs; Teh monitoring interface in "stealth mode" with no IP and the "management" interface on a trusted internal network. My question is: Has anyone ever exploited the "stealth" interface to traverse networks? Has anyone (else) ever had to defend such a configuration against the argument: "where there's a wire, there's a way" ? r)(0)(m
Current thread:
- IDS Stealth Mode r)(o)(m (Jan 08)
- Re: IDS Stealth Mode Kurt Seifried (Jan 09)
- Re: IDS Stealth Mode M. Dodge Mumford (Jan 10)
- Re: IDS Stealth Mode Talisker (Jan 11)
- Re: IDS Stealth Mode Dave Mitchell (Jan 11)
- Re: IDS Stealth Mode Matt Harris (Jan 11)
- RE: IDS Stealth Mode Aditya (Jan 12)
- RE: IDS Stealth Mode Brito, Nelson (ISS Brazil) (Jan 21)
- Re: IDS Stealth Mode Matt Simmons (Jan 21)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)
- Re: IDS Stealth Mode Frank Knobbe (Jan 19)
- Re: IDS Stealth Mode Jonas Eriksson (Jan 12)