[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    RE: TAP location
From:       its () si-bw ! de
Date:       2001-08-22 15:59:54
[Download RAW message or body]


This is getting kind of off-topic but for the record...

 Bourque Daniel wrote on 20.08.2001 13:47:30
>Compromise IDS: That's why the management lan card will be on another
>Firewall branch where I will be able to control it.

I wanted to make the (although mostly theoretical) point that a compromise
would be possible through the monitor port. Even if you have the TAP in
place, an skilled hacker with the right information and an not-quite-100%
IDS might get you in trouble.

>Utilising DNS port as a back channel:  I use a forwarder for my internet
DNS
>server just for that (and solving some problem with accessing some sites
>(Apple was one.  Don't know if it's still a problem).  Evidently, other
>ports need to be block also...

Since the ultimate function of the forwarder is to forward the request to
be processed elsewere, it will not help to defend against a covert channel
attack. There are at least two possible problems:

(1) Hacker A finds a packet which yields in an buffer overflow and an
execution of A's code in the IDS. This code could use the DNS to "call
home", load more software, or await commands from A.

(2) Hacker B finds some overflow condition in the DNS Resolver code of the
IDS console, the IDS console's host operating system or and intermediary
nameserver. He causes the IDS to trigger an DNS request for an DNS name he
is in control of and thereby uses the IDS to import his exploit into the
victim's computing base.

>My worse case scenario for this project:  a hacker convention using the
>guess rooms and the congress floor as a playground...  Evidently, room
>security is another issue (you don't want a kid on room 1701
>attacking/spying on room 1805...  That's where PVLAN come into play.

Anybody said PVLANs are secure? Did I miss something?

andreas.

P.S.: Reading about the W2K IrDA bug (MS01-046) and MS's statement "To the
best of our knowledge, this cannot be used to run
   malicious code on the user's system." which I read as "Nobody has
publicly demonstrated this", I wonder when we need to start running an
Infrared Intrusion Detection System.... ;-)

[prev in list] [next in list] [prev in thread] [next in thread]