OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mahn, Chris (chmahnDUKE-ENERGY.COM)
Date: Tue Jan 09 2001 - 15:26:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     Michael,

     I would be interested in hearing more on this subject. I don't quite know
    how you would craft a packet and send it to a server that does not have an
    IP address. What's more, when the NIDS sniffs the packets, what would
    cause the NIDS to execute the code?

     Could you give me links to the November protocal decode bugs from Ethereal
    and tcpdump that you mentioned? Thanks...

    --Chris

                        Michael Lea
                        <mleaATOMICBLUEBEA To: FOCUS-IDSSECURITYFOCUS.COM
                        R.ORG> cc:
                        Sent by: Focus on Subject: Two-headed NIDS - security risk?
                        Intrusion Detection
                        Systems
                        <FOCUS-IDSSECURITY
                        FOCUS.COM>

                        01/09/01 03:43 PM
                        Please respond to
                        Michael Lea

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    One common suggestion I've seen for implementing NIDS is to have two
    interfaces in the box. One interface is unaddressed, and is used to
    monitor the target network. The other interface has an address and is
    connected to a network that is isolated from the target. This second
    interface is used for management, alerting, and whatever else you might
    want the box to do.

    For the especially paranoid, people have recommended snipping the TX wires
    on the unaddressed interface or using some sort of tap to enforce a
    listen-only behaviour.

    The theory behind this, as I understand it, is that since the NIDS does
    not have an addressable interface on the monitored (and "untrusted")
    network, it is not subject to attacks. However, as NIDS is becoming more
    complex with protocol decoding and the like, isn't it possible (even
    likely) that an attacker could craft an attack that would cause the NIDS
    to execute arbitrary code and be used as a launching point for an attack
    into the "trusted" world.

    You can take the recent (i.e. November) protocol decode bugs in Ethereal
    and tcpdump as an example of this in action.

    Have those of you with two-headed NIDS considered this? Is it a serious
    concern, or am I being overly paranoid? Is there a solution?

    - - Mike
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (FreeBSD)
    Comment: Made with pgp4pine 1.75-6

    iEYEARECAAYFAjpbd/sACgkQc9EFi4qQZEyZRgCfSHaV2iCstKkJ/5wdvwAlu/Cp
    7BYAoNswHnZj4WIVBzGmK7t4cLGaD1YG
    =6Dfj
    -----END PGP SIGNATURE-----