From owner-freebsd-security Sat Apr 7 16: 0:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6031937B422 for ; Sat, 7 Apr 2001 16:00:41 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 5753718D29; Sat, 7 Apr 2001 18:00:40 -0500 (CDT) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.3/8.9.3) id f37N0eR87509; Sat, 7 Apr 2001 18:00:40 -0500 (CDT) (envelope-from nectar@spawn.nectar.com) Date: Sat, 7 Apr 2001 18:00:40 -0500 From: "Jacques A. Vidrine" To: John Howie Cc: Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question Message-ID: <20010407180040.B87468@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , John Howie , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 03:48:53PM -0700 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote: > Agreed! And the hacker would also need to have intimate knowledge of your > network configuration to be able to supply the correct parameters to > ifconfig in the scenario that Crist outlined. Well, no. Arbitrary code is just that: arbitrary. Arbitrary code can determine a working configuration for any network interface. And in many cases it will not even be necessary to `ifconfig' the interface to use it. > One item that was missing from > the original design was an exterior DMZ firewall (or perhaps I just missed > that component) running NAT. Key to securing the infrastructure is making it > as difficult as possible for a hacker to determine DMZ and production > network topologies and machine addresses. If the `key' to your security is obscurity of your internal network configuration, expect to be comprimised. This information is not hard to obtain by a determined attacker, and technology is probably not even an issue. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message