OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Unhackable network really unhackable?

From: Kurt Seifried (btseifried.org)
Date: Fri Nov 28 2003 - 17:22:40 CST


>Furthermore we would like to point out that InvisiLAN technology has no
relation
>whatsoever with DHCP, for example InvisiLAN changes randomly not just the
IP
>address but also the MAC address and the port numbers.

I don't see how MAC address changes would help for several reasons:

1) across the internet, let's face it. no-one cares what your MAC address
is.
2) on local networks I can wtach arp traffic
3) you can no longer do port locking on switches to a given MAC address

I assume the invisilan technology needs some sort of client/server setup
with a master to track all the IP/MAC/port changes, otherwise client systems
will never be able to connect properly to servers. This would seem to me to
be a nice vulnerability point.

Assuming the MAC address keeps changing any established connections can be
more easily hijacked by assuming the old MAC address (which the victim was
polite enough to give up on it's own).

As far as I can tell this actually makes it sound like it would make a local
attackers life easier. Firewalling can't really be used to restrict access
to systems since the ports/ip keep changing, any IDS solution is going to
yack up hairballs, assuming you can ever get it tuned to actually see the
traffic properly, etc, etc.

As for remote attackers, ok, it makes life a bit harder, but wouldn't those
remote people who shouldn't be accerssing you be firewalled anyways?

All in all it sounds like a wonky technology that hasn't been clearly
thought out, and doesn't really address an identifiable problem. But boy,
does it ever sound cool (I suppose one star out of five for sheer chutzpah
is ok).

Kurt Seifried, kurtseifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/