[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    RE: IDS interface setup
From:       Paul Schmehl <pauls () utdallas ! edu>
Date:       2003-04-03 22:17:49
[Download RAW message or body]

On Thu, 2003-04-03 at 09:18, Miller, Joe wrote:
> In the process of setting up a IDS box in the DMZ. The box has 3 interfaces. 

> 2 interfaces are to run in promiscuous mode, 1 interface is to be used for 

> management (non-promiscuous mode). The DMZ is sandwiched between firewalls.
> 
> Question: What would be more secure, putting the management interface on the 

> internal VLAN, or the DMZ VLAN?
> 
Flip a coin.  Seriously.

There's good arguments for either arrangement, and the most critical
feature is how you configure the host anyway.  Shut down *everything*. 
You shouldn't even need inetd running.  No rpc, no portmap, no nfs
services, no autofs, no rawdevices, etc., etc.  (Some of these obviosly
depend on what OS you're running.)  All you need to run is the sensor,
sshd, a firewall and tcpwrappers.  Look down the mgmt interface with the
firewall.  It doesn't even need to respond to pings.  And protect sshd
with tcpwrappers.

I don't think you need to worry about the promiscuous interfaces.  If
someone can hack a box through those, it wouldn't matter what defenses
you have in place.  They're too good to be deterred.

-- 
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

[prev in list] [next in list] [prev in thread] [next in thread]