Penetration Testing mailing list archives
Re: [PEN-TEST] IDS identification and a personal cry for help :)
From: Dragos Ruiu <dr () DURSEC COM>
Date: Thu, 17 Aug 2000 14:59:05 -0700
On Thu, 17 Aug 2000, Peter Van Epp wrote:
If one were to install an IDS system correctly, one would change any default ports that the installation routine sets.<snip> The correctly paranoid install Ethernet or optical (depending on flavor of sniffed connection) condoms aka the Shomiti Century tap for 10/100/1000 Ethernet utp or optical from www.shomiti.com or the netoptics %80/%20 optical splitters from www.netoptics.com. With them in place and either no management connection or a properly isolated management connection (i.e. no connection to the Internet) it really doesn't matter what ports are or are not open on your IDS because the tap is one way, it doesn't have a connection to the transmit side of your IDS (except to generate link) and traffic doesn't get back out from the IDS interface. It also is invisible to the tapped line for the same reason, it can't effect the tap line to get detected.
Even with passive taps on the input spigot of the IDS.... They're all vulnerable in the back end on the output/log spigot... because, I have yet to see any net admin have the balls and masochism(:-) to _not_ inter-network their IDS back end net (if they even have one) so they can't access it remotely in _any_ way - only from the local kb. The only way it's really safe, is if it is not networked at _all_ and physically access controlled (and even then there are some half duplex exploits possible - "blind" buffer overflow and clean up scripts. It's possible... remember the tcpdump decode overflow? Or the Sniffit one.... or....). Oh, and burn the logs to non-volatile media like CD just for good measure.:-) Perhaps draconian... but if you want to be secure, why mess around potentially wasting all that work securing with one little slip up, if you _do_ have some sort of wired access into the IDS. Less chances for this and you will likely have a more robust secure net overall. Now, that's a paranoid install that I like... :-) Sneakernet all the way, and, again, even air-gap sneakernet can be compromised by targeted log cleaner viruses. And then the solution for that is.... :-) and so on. But by the time you progress to worrying about stuff like _that_, you either have a lot of money to protect or a three letter acronym and/or some serious firepower at the other end of those computers, methinks. hard-core security, pull the plug, :-) --dr -- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc
Current thread:
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Domenico De Vitto (Aug 21)
- <Possible follow-ups>
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Dragos Ruiu (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Talisker (Aug 21)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Bill Pennington (Aug 22)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Pedro Quintanilha (Aug 23)
- Re: [PEN-TEST] IDS identification and a personal cry for help :) Bill Pennington (Aug 22)