RE: IDS Stealth Mode

["Brito, Nelson (ISS Brazil)" <nbrito () iss net>]

About issue #1:
Sometimes ago, you could crash some NIDS, even using "stealth NIC", with some
tools, such as: stick and snot.

Nowadays, I'm not sure about others products, but you cannot crash RealSecure
Network Sensor 7.0 using this tools or any other one.

The only way you were able to exploit the NIDS using "stealth NIC" was using DoS
attacks, crashing the engine or even the host machine. I never saw any
successful attack using "stealth NIC" to gain access to the LAN or any other
internal network.

About issue #2:
Oh, yeah. But when you say that you don't have any protocol "binded" on this NIC
nor "IP Forward" enabled, it's easier to the customer to understand that.

Hope this help.

Cheers.

Sem mais,
--
Nelson Brito
System Engineer
Internet Security Systems (Brazil)
____________________________________________________
Assembleia, 10/3310        | CEP:    20.011-901
Rio de Janeiro - RJ        | NASDAQ: ISSX
Phone/FAX: 55+21 2232-2929 | WEB:    www.iss.net
Mobile:    55+21 9963-2644 | The power to protect!
____________________________________________________

To contact me directly, please mailto:nbrito () iss net.


> -----Original Message-----
> From: r)(o)(m [mailto:nom.de.guerre () bonbon net]
> Sent: Wednesday, January 08, 2003 12:40 PM
> To: focus-ids () securityfocus com
> Subject: IDS Stealth Mode
>
>
> Retrying this post after 2 days:
> A common deployment configuration of Network IDS is to have 2 NICs;
> Teh monitoring interface in "stealth mode" with no IP
> and
> the "management" interface on a trusted internal network.
>
> My question is:
> Has anyone ever exploited the "stealth" interface to traverse networks?
> Has anyone (else) ever had to defend such a configuration against the
> argument:
> "where there's a wire, there's a way"
> ?
> r)(0)(m