Date: Thu, 9 Sep 1999 13:09:40 -0500 (CDT) From: James Wyatt <jwyatt@rwsystems.net> To: "Lowkrantz, Goran" <Goran.Lowkrantz@infologigruppen.se> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC Message-ID: <Pine.BSF.4.10.9909091259540.45536-100000@bsdie.rwsystems.net> In-Reply-To: <B500F74C6527D311B61F0000C0DF5ADC07ED7D@valhall.ign.se>
next in thread | previous in thread | raw e-mail | index | archive | help
The only *true* way I know of to get a listen-only NIC, is to physically disconnect the xmit line on the NIC. When I read about this in the "Repelling the wiley hacker" internet firewall/security book and tried it on an old 3Com 3c503, I thought it was sufficient and *really* secure. (The book is so good I've loaned it out so email for ISBN. Great book!) After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I could send an attack packet to your machine with a forged (or real) return address. When you look-up the hostname in DNS during capture or reporting, I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query and know you saw my packet. I was also under the impression that you didn't have to ifconfig the card (causing ARP, reply packets, etc) to get /dev/bpf0 to work, since it worked at the MAC level. Try not configuring the card in rc.conf and just attaching to the filter for the card. - Jy@ On Thu, 9 Sep 1999, Lowkrantz, Goran wrote: > To check on our DMZs I am building a monitor system with a protected > interface connected to the internal network and a multiport card to monitor > the consoles of the systems in the DMZs. To check for attacks I have setup > Snort and have tested with the Vision IDS but I want to hide the network > interface completely so that it can't be seen or heard or attacked or > anything. I have looked in the handbook, security how-to and searched > mailing lists but not found anything about how to do this. > > The monitor system is on 3-stable, at the moment 3.3RC. > > What I would like to have: > A NIC listening on a connected network using one of the already used > addresses without being seen and without disturbing any traffic. > 1 - Is it possible to configure a NIC this way? > 2 - If not, I have tried to re-use an IP address from the DMZ, set IPFW to > allow all in and nothing out, but an arp from the DMZ still shows the IF. > How do I block this? > 3 - Am I off track? Is there a better way to do this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909091259540.45536-100000>