Wireshark mailing list archives

Re: One NIC on public side

From: "mike () grounded net" <mike () grounded net>
Date: Wed, 19 May 2010 16:28:06 -0500

I didn't realize that you could actually send wireshark data which it might be able to intercept and process. I don't 
want to take any chances and it sounded hazy. Your reply tells me that while it's ok, can be done, still not a good 
idea. I could use another interface on the firewall but that's getting into unneeded complexities. I think I'll just 
monitor from inside and use outside only when watching real time.

Thanks for your input on this.

Mike


On Wed, 19 May 2010 22:11:07 +0200, Marc Luethi wrote:

 On Wed, 2010-05-19 at 14:05 -0500, mike () grounded net wrote:

 It was suggested that I take all protocols off of Nic1 which would make
 it safe to have on the public side.

 Definitely. That NIC should be as "quiet" as possible, if anyhow
 possible even completely passive.

 What I'm looking for is input on just how safe this setup is.

 As long as the Interface is completely passive, has no IP address and no
 services/listeners bound to it, it's a safe start.
 
 However, Wireshark is a piece of software that processes any data flow
 to and from your firewall, and its protocol dissectors are not immune to
 attacks:
 
 http://www.wireshark.org/security/
 
 I do not mean to bash Wireshark or anything, it is truly one great piece
 of software, that helped my employer a great deal (even saved us from
 the spanish inqui... er... the FSA once). But as with all software, bugs
 are there, buffer overflows can happen...
 
 If I were your security officer, I would support this setup only if the
 capturing system's "inside" interface was moved into a DMZ and Wireshark
 was used by some form of remote desktop functionality.
 
 
 regards
 
 Marc
 
 
 ___________________________________________________________________________
 Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
 Archives:    http://www.wireshark.org/lists/wireshark-users
 Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: One NIC on public side, (continued)
- - - Re: One NIC on public side mike () grounded net (May 13)
    - Re: One NIC on public side Kevin Cullimore (May 15)
    - Re: One NIC on public side Richard Bejtlich (May 15)
    - Re: One NIC on public side mike () grounded net (May 15)
    - Re: One NIC on public side Boonie (May 16)
    - Re: One NIC on public side mike () grounded net (May 19)
    - Re: One NIC on public side Martin Visser (May 16)
    - Re: One NIC on public side Richard Bejtlich (May 17)
    - Re: One NIC on public side mike () grounded net (May 19)
    - Re: One NIC on public side Marc Luethi (May 19)
    - Re: One NIC on public side mike () grounded net (May 19)
    - Re: One NIC on public side mike () grounded net (May 19)