Date: Sat, 7 Apr 2001 16:16:44 -0400 From: Mipam <mipam@ibb.net> To: Lee Smallbone <lee@kechara.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407161644.C2212@bootp-20-219.bootp.virginia.edu> In-Reply-To: <200104071610.RAA18117@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 07, 2001 at 04:00:40PM %2B0100 References: <200104071610.RAA18117@mailgate.kechara.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? Well .. not by any ip traffic for sure, but if it serves as a bridge between certain segments and serves as firewall for example, then you could try to flood it :) by sending loads of traffic to the machines behind it. But in this case it only operates on the layer below the ip layer, for it only looks to mac addresses to forward traffic, but it also does filtering on ip layer .... Thats wrong, well, it's a nice solution for making it pratically impossible to hack the machine from outside the network. (Plz i aint try to start a religious war here, just some thoughts of my own for what they're worth). > > /------\ > /Internet\-----[router]-------[switch]----[various servers] > / \ | | > ------------ | | > | | > [IDS] | > | [firewall] > | | > | | > | | > \ [switch] > \ / \ > \ / \ > \ / \ > \ / \ > \ / [internal lan] > \ / 192.168.1.x > [IDS Log 2] > 192.168.1.x Hmm, looks a bit weird to me. So you're gonna tell the router that all traffic also has to be passed out on the interface to which the ids machine is connected? Why not like this: router | \ | switch | (dmz (screened subnet)) | / | | | \ | / ids | / firewall | switch | \ internal lan ids Now also do some filtering on the router so that the dmz is not completly unprotected. Tell the switches to mirror all the traffic from its other ports to that of the ids. Just give the ids ip addresses (not strictly necessary). And close all udp/tcp ports (only if it has an ip address) on it and block icmp traffic (for the paranoid). All the ids has to do is to listen passively and not generate any traffic at all. You could of course allow ssh2 to the ids from certain internal ip's. But then also allow icmp 3/4 from the firewall to the ids, for the case that the firewall in between cant handle the same mtu as the ids ... (... ahem). For logging to other machines you need to allow ip traffic to the ids indeed. But if you wish to do that, you surely must give the ids's an ip. This is far, far from complete etc, but that was not my intention anyway. Just same suggestions. Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010407161644.C2212>