Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q3

NFR Wizards Archives: Re: tcpdump installation on unix firewall?

Re: tcpdump installation on unix firewall?

Matt Curtin (cmcurtininterhack.net)
28 Aug 1999 17:38:16 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Siglite: "Re: tcpdump installation on unix firewall?"
Previous message: Paul D. Robertson: "(no subject)"
In reply to: Steven M. Bellovin: "(no subject)"
Next in thread: Siglite: "Re: tcpdump installation on unix firewall?"

>>>>> On 27 Aug 1999 15:02:30 +0200, Andreas.Bolatzkich.danzas.com said:

Andreas> Do you consider it an utterly bad idea to install a packet
Andreas> sniffer on a firewall. (HP box running FW-1).

Yes.

You do not want to provide any tools for an attacker who has
compromised your bastion host to use against you. This is the reason
why bastion hosts are typically "stripped down", having no compilers,
common utilities, or anything that might be of use to attackers. If
someone does manage to compromise a machine, he'll have enough
difficulty getting it to do anything useful or interesting to him that
you'll (hopefully) have enough time to catch the breach and address
it. Perhaps by that point, he'll get frustrated and go find some site
with an NT box^H^H^H^H^H^Heasier target.

If you need to find out what's happening, do one of a few things:
o Get yourself a real sniffer (these can get pricey, so I can see why
   you might want to avoid that. Especially if it's a 10Mb network
   where host-based tools are fairly easy to get.)
o Have a seperate machine on the network that's not so exposed do the
   sniffing for you
o Dedicate a host to the job of sniffing, perhaps something along the
   lines of a Network Flight Recorder, http://www.nfr.net/.

[I have no connection with NFR and don't feel particularly obligated
to plug them because they host the list. What they have is a tool
that will help you address exactly the problem that you have.]

You can get a research version of NFR to play around with it and see
how it works, but don't try to use that for production. That would be
naughty. Go for the full-blown product, which will give you the
support that you'll want.

-- 
Matt Curtin cmcurtininterhack.net http://www.interhack.net/people/cmcurtin/

Next message: Siglite: "Re: tcpdump installation on unix firewall?"
Previous message: Paul D. Robertson: "(no subject)"
In reply to: Steven M. Bellovin: "(no subject)"
Next in thread: Siglite: "Re: tcpdump installation on unix firewall?"

This archive was generated by hypermail 2.0b3 on Mon Aug 30 1999 - 23:40:29 CDT