From owner-freebsd-security Sun Apr 8 3:44:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 622DB37B423 for ; Sun, 8 Apr 2001 03:44:14 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.154.6]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBGZ5500.88T; Sun, 8 Apr 2001 03:43:53 -0700 Message-ID: <3AD05D51.B2B739BC@alum.mit.edu> Date: Sun, 08 Apr 2001 05:45:06 -0700 From: "Crist J. Clark" X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: John Howie Cc: "Jacques A. Vidrine" , Crist Clark , lee@kechara.net, freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> <05b901c0bfb8$d79a1160$0101a8c0@development.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Howie wrote: [snip] > If I force would-be > intruders to have to defeat/circumvent individual measures such as > firewalls/NAT boxes just to determine my topologies before they can even > make an attempt at an attack on servers, then most will give up and go away. > With the correct supporting measures in place, obscuring network topology is > a valid step to take. NAT is not a security tool. NAT is a means to conserve network addresses. It is not particularly difficult to guess at the number of machines behind a NAT box or to devise the network topology (provided you can get someone on the inside to try to communicate with you). Obscuring network topology is not something most people should spend a lot of time worrying about. If a machine has IP connectivity, it has IP connectivity. The topology of a network only is a security issue once an attacker has already compromised a box and you are worried about what he can sniff. If the attacker has that kind of access to the box, he knows your net topology. Yes, you do not need to advertise your network arch on a web page or with ICMP netmask replies, but there is no need to spend any sweat trying to hide it either. Again, IMHO. We have decended far into the theoretical here, well past the realm of a script kiddie. But just as the script kiddie would not gather intel on your net to figure out how to get around an interface with no IP stack attached, a script kiddie would be defeated by an IDS _with_ an IP on the interface, but sane firewall rules on it. Generally speaking, what makes machines vulnerable is not the kernel's IP stack bound to an interface, but having vulnerable services listening on it. I do not think it unreasonable to give that external interface of the IDS an IP address, but put some seriously stringent firewall (ipf, ipfw) rules on it (running minimal services is a given of course). Accept only incoming connections from your secure net and just allow the log traffic in the firewall. The external attacker is going to have a really hard time finding this IDS. Your firewall still gives you some protection from the machine if it were to be subverted. For the zillionth time, there are no absolutes in security, only trades. For most of us, making the IDS easy to use makes our network as a whole more secure than locking the thing down so hard that we have a really tough time using it. An IDS that you do not use does not enhance security. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message