Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 07 Apr 2001 14:17:46 -0700
From:      "Crist Clark" <crist.clark@globalstar.com>
To:        lee@kechara.net
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Theory Question
Message-ID:  <3ACF83FA.55761A7B@globalstar.com>
References:  <200104071610.RAA18117@mailgate.kechara.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Lee Smallbone wrote:
> 
> Hi there,
> 
>  I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently
>  it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second
>  machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run
>  stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot
>  be 'hacked' (externally), is this true in the real world?

No. There is no such thing as a box on a network that 'cannot be hacked.'

A possible scenario: Your IDS is listening to the unprotected link to 
the Internet and chugging away, crunching the data passing by looking
for attack signatures. Hiding somewhere in the bowels of this large
and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r
sends a crafted series of packets past the box which trip the buffer
overflow and execute arbitrary code of his choosing on the box. Game 
over. His code could attach an IP stack to the external interface 
(just run ifconfig), it could open a tunnel through the backside of
the IDS and back out of the front[1] of your network, or if EvulHax0r 
is really 33l33t, he could set up a covert channel on the external 
interface that does not use the kernel stack.

This is all possible, but not probable. You must weigh the risks and
benefits of having the IDS setup in this manner versus other 
configurations. Security is almost always a series of trade offs. 
The only absolutely secure network configuration is not to have 
the device connected to the network at all. There is no such thing
as a box on a network that 'cannot be hacked.'

[0] An IDS program does not need to be all that big and complex to
have vulnerable code hiding in it. Both Snort and tcpdump have had
their share of exploitable buffer overruns.

[1] Note that in this situation, going that extra step of physically
disabling transmission of data on the external interface (snipping
or shorting wires) will not save you either.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ACF83FA.55761A7B>