Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: dcdave (dcdaveatt.net)
Date: Mon Jun 11 2001 - 09:42:07 CDT
First, a promiscuous NIC connected outside the firewall presents 'only' the
risk associated with having no TCP stack bound to an existing (but not
broadcasting) MAC address. Connecting it to inside the firewall via a second
NIC does not necessarily bypass or short-circuit the firewall. The interface
outside is still vulnerable to weapons of mass destruction for the collision
domain segment, and there are some creative attack paths conceivable, but I
have not yet heard of anyone implementing anything (anyone else?) yet.
Second, there is trade-off with read-only connections for an IDS capable of
reacting with RSTs and the like - RSTs will not work through a read-only
connection. You can end up with a watchdog capable of barking, but not
I have seen each method be appropriate to differing situations - what have
----- Original Message -----
From: "Chris Keladis" <Chris.Keladiscmc.cwo.net.au>
To: "Crist Clark" <crist.clarkglobalstar.com>
Cc: "Ingersoll Jared" <JIngersollcswv.com>; <FOCUS-IDSsecurityfocus.com>
Sent: Friday, June 08, 2001 5:59 PM
Subject: Re: Retreiving information from IDS..
> Crist Clark wrote:
> > I sometimes wonder how often the dual-NIC approach is more of a
> > than advantage. I suspect people may frequently be doing things like
> > short circuiting a firewall with such a device. You need to balance
> > your NIDS software requirements, the costs of adding the second NIC (the
> > cost of the NIC are insignificant, but the costs or other problems for
> > wiring the second network connection may not), and the security risks
> > of the configurations (again, two NICs is not automatically more secure
> > than one). As always, real-world security is about reducing risk, but
> > balancing it against the cost.
> After some research and many peoples helpfull suggestions, i'm going to
> into the Shomiti 100BT ("Century") Ethernet taps.
> We need HA, and the Shomiti taps claim to pass traffic even if the units
> power which is a big plus to us.
> I also would prefer to avoid putting hubs in production segments degrading
> performance (or port-mirroring etc..)
> (This was just for the "dirty"-side IDSs btw)
> Anyway, the taps are read-only (or so i understand), which imposes a
> restriction, reducing the risk of compromising the IDS itself.
> It's not fail-safe (espescially if one has physical access), and i agree,
> risk needs
> to be weighed up, but at least this helps reduce the risk, as IDS does add
> to complement a Firewall.