Re: IDS Stealth Mode

[Dave Mitchell <dmitchell () viawest net>]

Theoretically speaking, having a MAC address and a wire, you could be able to somehow 
pass traffic through the IDS into your management network. More than likely a device above
the IDS would have to be compromised in order to give the attacker access to the same L2
broadcast domain so that they could launch ethernet attacks on the IDS. 
There are a few things you can do in order to mitigate risk.

1. Have your management interface terminate on a "DMZ" or other type of restricted network,
so if for some reason the box was compromised, the attacker wouldn't have free reign on your
inside net.

2. Restrict the port mirror on the sniffer interface to only allow ingress frames, and only
allow it to mirror frames destined for other ports, and not its port. This would negate the
ability of someone to pass frames to your sniffer MAC, and prevent that interface from
transmitting frames, whether it be ARPs or whatever. You can also apply L2 access lists to
be even more secure.

3. Depending on which IDS you have, make sure you have IP forwarding disabled from within
the box itself. If you are really paranoid like myself, have the management interface terminate
on a VLAN that can be inspected by a firewall. Restrict inbound traffic from the management
interface to necessities, and you should be as secure as you can make it.

Just my $.02.

-dave

On Wed, Jan 08, 2003 at 08:39:55AM -0600, r)(o)(m wrote:
> Retrying this post after 2 days:
> A common deployment configuration of Network IDS is to have 2 NICs;
> Teh monitoring interface in "stealth mode" with no IP
> and
> the "management" interface on a trusted internal network.
>
> My question is:
> Has anyone ever exploited the "stealth" interface to traverse networks?
> Has anyone (else) ever had to defend such a configuration against the 
> argument:
> "where there's a wire, there's a way"
> ?
> r)(0)(m