From owner-freebsd-security  Sat Apr  7 16: 0:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 6031937B422
	for <freebsd-security@FreeBSD.ORG>; Sat,  7 Apr 2001 16:00:41 -0700 (PDT)
	(envelope-from nectar@nectar.com)
Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102])
	by gw.nectar.com (Postfix) with ESMTP
	id 5753718D29; Sat,  7 Apr 2001 18:00:40 -0500 (CDT)
Received: (from nectar@localhost)
	by hamlet.nectar.com (8.11.3/8.9.3) id f37N0eR87509;
	Sat, 7 Apr 2001 18:00:40 -0500 (CDT)
	(envelope-from nectar@spawn.nectar.com)
Date: Sat, 7 Apr 2001 18:00:40 -0500
From: "Jacques A. Vidrine" <n@nectar.com>
To: John Howie <JHowie@msn.com>
Cc: Crist Clark <crist.clark@globalstar.com>, lee@kechara.net,
	freebsd-security@FreeBSD.ORG
Subject: Re: Theory Question
Message-ID: <20010407180040.B87468@hamlet.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	John Howie <JHowie@msn.com>,
	Crist Clark <crist.clark@globalstar.com>, lee@kechara.net,
	freebsd-security@FreeBSD.ORG
References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local>; from JHowie@msn.com on Sat, Apr 07, 2001 at 03:48:53PM -0700
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote:
> Agreed! And the hacker would also need to have intimate knowledge of your
> network configuration to be able to supply the correct parameters to
> ifconfig in the scenario that Crist outlined. 

Well, no.  Arbitrary code is just that: arbitrary.  Arbitrary code can
determine a working  configuration for any network  interface.  And in
many cases it  will not even be necessary to  `ifconfig' the interface
to use it.

> One item that was missing from
> the original design was an exterior DMZ firewall (or perhaps I just missed
> that component) running NAT. Key to securing the infrastructure is making it
> as difficult as possible for a hacker to determine DMZ and production
> network topologies and machine addresses.

If the  `key' to your security  is obscurity of your  internal network
configuration, expect to be comprimised.  This information is not hard
to obtain  by a  determined attacker, and  technology is  probably not
even an issue.

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message