Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Apr 2001 16:16:44 -0400
From:      Mipam <mipam@ibb.net>
To:        Lee Smallbone <lee@kechara.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Theory Question
Message-ID:  <20010407161644.C2212@bootp-20-219.bootp.virginia.edu>
In-Reply-To: <200104071610.RAA18117@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 07, 2001 at 04:00:40PM %2B0100
References:  <200104071610.RAA18117@mailgate.kechara.net>

next in thread | previous in thread | raw e-mail | index | archive | help
> I am of the belief that a machine with no IP address cannot
>  be 'hacked' (externally), is this true in the real world?

Well .. not by any ip traffic for sure, but if it serves as a bridge
between certain segments and serves as firewall for example,
then you could try to flood it :) by sending loads of traffic to the
machines behind it. But in this case it only operates on the
layer below the ip layer, for it only looks to mac addresses to forward
traffic, but it also does filtering on ip layer ....
Thats wrong, well, it's a nice solution for making it pratically
impossible to hack the machine from outside the network. 
(Plz i aint try to start a religious war here, just some thoughts of my own
for what they're worth).

> 
>   /------\          
>  /Internet\-----[router]-------[switch]----[various servers]       
> /          \       |               |
> ------------       |               | 
> 		   |               | 
> 		 [IDS]		   |
>                    |          [firewall]
>                    |               |
>                    |               |
>                    |               |
>                    \           [switch]    
>                     \           /   \
>                      \         /     \ 
>                       \       /       \
>                        \     /         \
>                         \   /     [internal lan] 
>                          \ /       192.168.1.x
>                       [IDS Log 2]
>                       192.168.1.x

Hmm, looks a bit weird to me.
So you're gonna tell the router that all traffic also has
to be passed out on the interface to which the ids machine is connected?

Why not like this:

			router
			|     \
			|      switch 
			|  (dmz (screened subnet))
			|    / | | | \
			|   /         ids
			|  /
			firewall
			|
			switch
			|     \
		internal lan   ids

Now also do some filtering on the router so that the dmz is not completly
unprotected. Tell the switches to mirror all the traffic from its other ports
to that of the ids.
Just give the ids ip addresses (not strictly necessary). 
And close all udp/tcp ports (only if it has an ip address) on it
and block icmp traffic (for the paranoid). All the ids has to do
is to listen passively and not generate any traffic at all.
You could of course allow ssh2 to the ids from certain internal ip's.
But then also allow icmp 3/4 from the firewall to the ids,
for the case that the firewall in between cant handle the same mtu as
the ids ... (... ahem).
For logging to other machines you need to allow ip traffic to the ids indeed.
But if you wish to do that, you surely must give the ids's an ip.
This is far, far from complete etc, but that was not my intention anyway.
Just same suggestions.
Bye,

Mipam.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010407161644.C2212>