From owner-freebsd-security Thu Sep 9 11:25:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id E177214FD0 for ; Thu, 9 Sep 1999 11:25:00 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2625 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 9 Sep 1999 13:09:40 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Thu, 9 Sep 1999 13:09:40 -0500 (CDT) From: James Wyatt To: "Lowkrantz, Goran" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Lisen only NIC In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The only *true* way I know of to get a listen-only NIC, is to physically disconnect the xmit line on the NIC. When I read about this in the "Repelling the wiley hacker" internet firewall/security book and tried it on an old 3Com 3c503, I thought it was sufficient and *really* secure. (The book is so good I've loaned it out so email for ISBN. Great book!) After reading the AntiSniff stuff by the L0pht folks, I'm not so sure. I could send an attack packet to your machine with a forged (or real) return address. When you look-up the hostname in DNS during capture or reporting, I could see (sniff DNS server ENet, hack DNS server, etc) the DNS query and know you saw my packet. I was also under the impression that you didn't have to ifconfig the card (causing ARP, reply packets, etc) to get /dev/bpf0 to work, since it worked at the MAC level. Try not configuring the card in rc.conf and just attaching to the filter for the card. - Jy@ On Thu, 9 Sep 1999, Lowkrantz, Goran wrote: > To check on our DMZs I am building a monitor system with a protected > interface connected to the internal network and a multiport card to monitor > the consoles of the systems in the DMZs. To check for attacks I have setup > Snort and have tested with the Vision IDS but I want to hide the network > interface completely so that it can't be seen or heard or attacked or > anything. I have looked in the handbook, security how-to and searched > mailing lists but not found anything about how to do this. > > The monitor system is on 3-stable, at the moment 3.3RC. > > What I would like to have: > A NIC listening on a connected network using one of the already used > addresses without being seen and without disturbing any traffic. > 1 - Is it possible to configure a NIC this way? > 2 - If not, I have tried to re-use an IP address from the DMZ, set IPFW to > allow all in and nothing out, but an arp from the DMZ still shows the IF. > How do I block this? > 3 - Am I off track? Is there a better way to do this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message