Date: Sat, 07 Apr 2001 11:50:54 -0400 From: "Brian F. Feldman" <green@FreeBSD.org> To: lee@kechara.net Cc: freebsd-security@FreeBSD.org Subject: Re: Theory Question Message-ID: <200104071550.f37Fosa31021@green.dyndns.org> In-Reply-To: Message from Lee Smallbone <lee@kechara.net> of "Sat, 07 Apr 2001 16:00:40 BST." <200104071610.RAA18117@mailgate.kechara.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Lee Smallbone <lee@kechara.net> wrote: > Hi there, > > I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently > it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second > machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run > stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? > > The setup would look a little like this. > > > (my apologies to those of you who do not have fixed-width fonts. See attachment if they're allowed here) > > /------\ > /Internet\-----[router]-------[switch]----[various servers] > / \ | | > ------------ | | > | | > [IDS] | > | [firewall] > | | > | | > | | > \ [switch] > \ / \ > \ / \ > \ / \ > \ / \ > \ / [internal lan] > \ / 192.168.1.x > [IDS Log 2] > 192.168.1.x > > > Would the direct link to the Internal network pose a threat to the rest of the Internal Lan? > Bearing in mind the IDS wouldn't have an IP address? > > Any input appreciated. How is the IDS logging to another machine without any IP address? To do it in a reasonable way, give it two network interfaces, one on the outside and one on the inside. The IDS machine needs to have no form of bridging enabled, of course, and have the public interface used for sniffing to have no address of its own. The IDS acts enough like a firewall (passing nothing that's not its own through) to stick the IDS's other interface directly on the internal switch. The IDS logging machine can be off the same switch and then wouldn't need two network cards like it did in the design you propose. Also, if all your router would be doing there is mirroring traffic in and out to the IDS, you may want to think more carefully about whether you really need both that router and that switch there. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104071550.f37Fosa31021>