Michael Lea wrote:

> Have those of you with two-headed NIDS considered this? Is it a serious
> concern, or am I being overly paranoid? Is there a solution?
>
Two responses to this, theoretical and practical.

Theoretically, yes it is possible that an attacker could, if there is a
buffer overflow or other weakness in the NIDS, cause code execution. But
this raises a bunch of questions about how the exploit would be coded
and how access to the NIDS can be maintained or increased.

Instead of executing /bin/sh, would it try executing ifconfig? what
arguments? How much code can we pack into the attack? If the attack
overflows a buffer will the NIDS still be listening?

Even after the attacker manages to compromise the IDS, then what? Does
the management console trust the listening system? (I hope not.) Is it
on a network segment where other machines are wide open to attack? If so
then you probably have more pressing security problems than the IDS.

It seems that it would be much easier to DOS the IDS, then attack
another host.

The practical response is that the two interfaces is better than one IP
addressable interface on an "untrusted" net. As with anything in
security, it "ain't perfect, but sure beats having nothing".
If someone knows a method that is better than the two interface NIDS, I
want to know.

--
David Masten
Information Security, Network and Systems Administration
Rocket Engineer, and Anarcho-Capitalist
--------------------------------------------------------
More law, less justice -Cicero

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]