From owner-freebsd-security Sat Apr 7 14:17:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id AB0C437B423 for ; Sat, 7 Apr 2001 14:17:51 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBFXT200.D8L; Sat, 7 Apr 2001 14:17:26 -0700 Message-ID: <3ACF83FA.55761A7B@globalstar.com> Date: Sat, 07 Apr 2001 14:17:46 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: lee@kechara.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Theory Question References: <200104071610.RAA18117@mailgate.kechara.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lee Smallbone wrote: > > Hi there, > > I have a theory that I'd like to run past you guys if I may. We have an IDS watching over our network, and currently > it logs to itself, and has a publicly accessible IP address. Now what I want to do is get it to also log to a second > machine, privately addressed, and remove the public IP address from the IDS, and use the private machine to run > stats on and so forth. The primary concern is security. I am of the belief that a machine with no IP address cannot > be 'hacked' (externally), is this true in the real world? No. There is no such thing as a box on a network that 'cannot be hacked.' A possible scenario: Your IDS is listening to the unprotected link to the Internet and chugging away, crunching the data passing by looking for attack signatures. Hiding somewhere in the bowels of this large and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r sends a crafted series of packets past the box which trip the buffer overflow and execute arbitrary code of his choosing on the box. Game over. His code could attach an IP stack to the external interface (just run ifconfig), it could open a tunnel through the backside of the IDS and back out of the front[1] of your network, or if EvulHax0r is really 33l33t, he could set up a covert channel on the external interface that does not use the kernel stack. This is all possible, but not probable. You must weigh the risks and benefits of having the IDS setup in this manner versus other configurations. Security is almost always a series of trade offs. The only absolutely secure network configuration is not to have the device connected to the network at all. There is no such thing as a box on a network that 'cannot be hacked.' [0] An IDS program does not need to be all that big and complex to have vulnerable code hiding in it. Both Snort and tcpdump have had their share of exploitable buffer overruns. [1] Note that in this situation, going that extra step of physically disabling transmission of data on the external interface (snipping or shorting wires) will not save you either. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message