Without thinking about this too much, I think I'd have to say that it is
definitely possible for this to happen. Any time code is run with arbitrary
input, improper buffers or other problems can allow for the execution of
arbitrary code. Of course, this cannot happen without a bug in the IDS
software, and to truly assess the risk of such an attack, one would have to
determine whether the code that analyses the packets is privileged or not.
If the code is privileged, the risk is much higher. Normally, I don't
believe that NIDS machines are trusted by other machines on the network, so
the risk of compromising the rest of the network is limited. For the
ultra-paranoid, it might be a good idea to quarantine the NIDS by doing as
you said, cutting the TX wires on the listen interface, and then using the
other interface with a cross-over cable to a management box in the same
room. Of course, this eliminates remote manageability, so it might not be
desirable.

I would consider the likelyhood of this sort of attack to be low, since it
would be hard for an attacker to determine that a NIDS is listening, let
alone which vendor and version. Nonetheless, the possibility does exist.

Jon Gary
Click To Secure, Inc.
http://www.clicktosecure.com

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Michael Lea
Sent: Tuesday, January 09, 2001 12:43 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Two-headed NIDS - security risk?

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x8A90644C
*** Signed: 1/9/2001 12:43:39 PM
*** Verified: 1/9/2001 1:03:34 PM
*** BEGIN PGP VERIFIED MESSAGE ***

One common suggestion I've seen for implementing NIDS is to have two
interfaces in the box. One interface is unaddressed, and is used to
monitor the target network. The other interface has an address and is
connected to a network that is isolated from the target. This second
interface is used for management, alerting, and whatever else you might
want the box to do.

For the especially paranoid, people have recommended snipping the TX wires
on the unaddressed interface or using some sort of tap to enforce a
listen-only behaviour.

The theory behind this, as I understand it, is that since the NIDS does
not have an addressable interface on the monitored (and "untrusted")
network, it is not subject to attacks. However, as NIDS is becoming more
complex with protocol decoding and the like, isn't it possible (even
likely) that an attacker could craft an attack that would cause the NIDS
to execute arbitrary code and be used as a launching point for an attack
into the "trusted" world.

You can take the recent (i.e. November) protocol decode bugs in Ethereal
and tcpdump as an example of this in action.

Have those of you with two-headed NIDS considered this? Is it a serious
concern, or am I being overly paranoid? Is there a solution?

- Mike

*** END PGP VERIFIED MESSAGE ***

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]