From owner-freebsd-security Sat Apr 7 8:52:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5896537B42C; Sat, 7 Apr 2001 08:52:11 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (rlzvzr@localhost [127.0.0.1]) by green.dyndns.org (8.11.2/8.11.1) with ESMTP id f37Fosa31021; Sat, 7 Apr 2001 11:50:55 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200104071550.f37Fosa31021@green.dyndns.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: lee@kechara.net Cc: freebsd-security@FreeBSD.org Subject: Re: Theory Question In-Reply-To: Message from Lee Smallbone of "Sat, 07 Apr 2001 16:00:40 BST." <200104071610.RAA18117@mailgate.kechara.net> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 07 Apr 2001 11:50:54 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lee Smallbone wrote: > Hi there, > > I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently > it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second > machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run > stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? > > The setup would look a little like this. > > > (my apologies to those of you who do not have fixed-width fonts. See attachment if they're allowed here) > > /------\ > /Internet\-----[router]-------[switch]----[various servers] > / \ | | > ------------ | | > | | > [IDS] | > | [firewall] > | | > | | > | | > \ [switch] > \ / \ > \ / \ > \ / \ > \ / \ > \ / [internal lan] > \ / 192.168.1.x > [IDS Log 2] > 192.168.1.x > > > Would the direct link to the Internal network pose a threat to the rest of the Internal Lan? > Bearing in mind the IDS wouldn't have an IP address? > > Any input appreciated. How is the IDS logging to another machine without any IP address? To do it in a reasonable way, give it two network interfaces, one on the outside and one on the inside. The IDS machine needs to have no form of bridging enabled, of course, and have the public interface used for sniffing to have no address of its own. The IDS acts enough like a firewall (passing nothing that's not its own through) to stick the IDS's other interface directly on the internal switch. The IDS logging machine can be off the same switch and then wouldn't need two network cards like it did in the design you propose. Also, if all your router would be doing there is mirroring traffic in and out to the IDS, you may want to think more carefully about whether you really need both that router and that switch there. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message