Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 08 Apr 2001 05:45:06 -0700
From:      "Crist J. Clark" <cjclark@alum.mit.edu>
To:        John Howie <JHowie@msn.com>
Cc:        "Jacques A. Vidrine" <n@nectar.com>, Crist Clark <crist.clark@globalstar.com>, lee@kechara.net, freebsd-security@FreeBSD.ORG
Subject:   Re: Theory Question
Message-ID:  <3AD05D51.B2B739BC@alum.mit.edu>
References:  <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local>

next in thread | previous in thread | raw e-mail | index | archive | help
John Howie wrote:

[snip]
 
> If I force would-be
> intruders to have to defeat/circumvent individual measures such as
> firewalls/NAT boxes just to determine my topologies before they can even
> make an attempt at an attack on servers, then most will give up and go away.
> With the correct supporting measures in place, obscuring network topology is
> a valid step to take.

NAT is not a security tool. NAT is a means to conserve network
addresses.
It is not particularly difficult to guess at the number of machines
behind
a NAT box or to devise the network topology (provided you can get
someone on
the inside to try to communicate with you). Obscuring network topology
is 
not something most people should spend a lot of time worrying about. If
a
machine has IP connectivity, it has IP connectivity. The topology of a
network
only is a security issue once an attacker has already compromised a box
and 
you are worried about what he can sniff. If the attacker has that kind
of 
access to the box, he knows your net topology.

Yes, you do not need to advertise your network arch on a web page or
with
ICMP netmask replies, but there is no need to spend any sweat trying to
hide
it either.

Again, IMHO. We have decended far into the theoretical here, well past
the
realm of a script kiddie. But just as the script kiddie would not gather
intel
on your net to figure out how to get around an interface with no IP
stack
attached, a script kiddie would be defeated by an IDS _with_ an IP on
the 
interface, but sane firewall rules on it. Generally speaking, what makes
machines vulnerable is not the kernel's IP stack bound to an interface,
but having vulnerable services listening on it.

I do not think it unreasonable to give that external interface of the
IDS
an IP address, but put some seriously stringent firewall (ipf, ipfw)
rules
on it (running minimal services is a given of course). Accept only
incoming 
connections from your secure net and just allow the log traffic in the 
firewall. The external attacker is going to have a really hard time
finding 
this IDS. Your firewall still gives you some protection from the machine
if 
it were to be subverted.

For the zillionth time, there are no absolutes in security, only trades.
For most of us, making the IDS easy to use makes our network as a whole 
more secure than locking the thing down so hard that we have a really
tough time using it. An IDS that you do not use does not enhance
security.
-- 
Crist J. Clark                                       
cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD05D51.B2B739BC>