On Tue, 9 Jan 2001 13:13:27 -0800, Jon Gary said:

> Without thinking about this too much, I think I'd have to say that it is
> definitely possible for this to happen. Any time code is run with arbitrary
> input, improper buffers or other problems can allow for the execution of
> arbitrary code. Of course, this cannot happen without a bug in the IDS
> software, and to truly assess the risk of such an attack, one would have to
> determine whether the code that analyses the packets is privileged or not.
> If the code is privileged, the risk is much higher. Normally, I don't
> believe that NIDS machines are trusted by other machines on the network, so
> the risk of compromising the rest of the network is limited. For the
> ultra-paranoid, it might be a good idea to quarantine the NIDS by doing as
> you said, cutting the TX wires on the listen interface, and then using the
> other interface with a cross-over cable to a management box in the same
> room. Of course, this eliminates remote manageability, so it might not be
> desirable.

Keep in mind that if the software does not reassamble the packets, you probably
don't have that much space to perform an attack in.

Don't you generally have to run IDS software as root in order to switch the
network device to promiscious mode? This is true under linux, but I suppose not
under win9x or macOS.

>
> I would consider the likelyhood of this sort of attack to be low, since it
> would be hard for an attacker to determine that a NIDS is listening, let
> alone which vendor and version. Nonetheless, the possibility does exist.

But you could still throw the random attacks onto a network without too much
concern.

>
> Jon Gary
> Click To Secure, Inc.
> http://www.clicktosecure.com
>
> -----Original Message-----
> From: Focus on Intrusion Detection Systems
> [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Michael Lea
> Sent: Tuesday, January 09, 2001 12:43 PM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Two-headed NIDS - security risk?
>
>
>
> *** PGP Signature Status: unknown
> *** Signer: Unknown, Key ID = 0x8A90644C
> *** Signed: 1/9/2001 12:43:39 PM
> *** Verified: 1/9/2001 1:03:34 PM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
> One common suggestion I've seen for implementing NIDS is to have two
> interfaces in the box. One interface is unaddressed, and is used to
> monitor the target network. The other interface has an address and is
> connected to a network that is isolated from the target. This second
> interface is used for management, alerting, and whatever else you might
> want the box to do.
>
> For the especially paranoid, people have recommended snipping the TX wires
> on the unaddressed interface or using some sort of tap to enforce a
> listen-only behaviour.
>
> The theory behind this, as I understand it, is that since the NIDS does
> not have an addressable interface on the monitored (and "untrusted")
> network, it is not subject to attacks. However, as NIDS is becoming more
> complex with protocol decoding and the like, isn't it possible (even
> likely) that an attacker could craft an attack that would cause the NIDS
> to execute arbitrary code and be used as a launching point for an attack
> into the "trusted" world.
>
> You can take the recent (i.e. November) protocol decode bugs in Ethereal
> and tcpdump as an example of this in action.
>
> Have those of you with two-headed NIDS considered this? Is it a serious
> concern, or am I being overly paranoid? Is there a solution?
>
> - Mike
>
> *** END PGP VERIFIED MESSAGE ***
>
>
>

--
---------------------------------------------------------
T H E	I N T E R N E T   M A R K E T I N G   C E N T E R
---------------------------------------------------------
Gary Richardson 			   gary.richardsonmarketingtips.com
System Administrator		
---------------------------------------------------------
---------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]