• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

can an interface with no ip address be compromised ?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
hcclnoodles
Just Arrived
Just Arrived


Joined: 08 Dec 2004
Posts: 0


Offline

PostPosted: Wed Sep 21, 2005 1:32 pm    Post subject: can an interface with no ip address be compromised ? Reply with quote

Hi there

I am configuring an IDS with snort in a DMZ. There will also be a web server box in the DMZ aswell. I have set the snort box up with 2 NICS, one will be set up in promiscuous mode with no IP addressing just listening to traffic coming through the firewall and coming from the webserver and the other a standard addressed interface which will be on a private management network (this nic will be used for alerts/logs/management of snort etc)

My question is if someone was to compromise the web server and sniff the network they would discover ARP packets coming from the promiscuous NIC. Can a NIC that has no IP addressing/layer 3 addressing be compromised ? are there any hacking tools that would enable them to get through a card with no address and out onto my management LAN ??

my initial thought was that a NIC has to have at least some layer 3 addressing for it to be hackaable ? but i need to clarify

any help on this would be greatly appreciated
Gary
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Wed Sep 21, 2005 5:13 pm    Post subject: Reply with quote

there is always the physical threat of someone actually walking up to the computer and trying to get in that way...
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Wed Sep 21, 2005 5:36 pm    Post subject: Re: can an interface with no ip address be compromised ? Reply with quote

hcclnoodles wrote:

I have set the snort box up with 2 NICS, one will be set up in promiscuous mode with no IP addressing just listening to traffic coming through the firewall and coming from the webserver and the other a standard addressed interface which will be on a private management network (this nic will be used for alerts/logs/management of snort etc)

So it does have a NIC with an IP on it. That'll be a yes then. It just means someone has to comrpomise a machine on your NAT'd network in order to be able to get to it, and that's easier than you think.
A few Banks I know use this same setup, whilst strictly many people say your IDS should be on a bridge and not have an IP it's not practical because of the difficulty with remote management , I mean if you have 20 IDS's how do you manage them if they are all on bridges.
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed Sep 21, 2005 5:41 pm    Post subject: Re: can an interface with no ip address be compromised ? Reply with quote

hcclnoodles wrote:
Can a NIC that has no IP addressing/layer 3 addressing be compromised ?

As long as there is data arriving to the NIC and something reading that data, there is always the possibility of a compromise. Layer 2, 3 or whatever has no bearing into it other than imposing greater or smaller restrictions on the path the data traverses (and as such the amount of things that could potentially be exploited).

There might be a bug in the sniffer itself, for example, which could be exploited by a skilled attacker by feeding it carefully crafted frames. Or there could be a bug in the NIC's driver. And so on.

Of course this is all going into the realm of possibilities now, but it is not something to be neglected. Sniffers, drivers and the likes are man-made software like anything else and are just as subject to bugs.

Likewise, once a system is compromised, regardless of whether it has a NIC with a layer 3 address or not, it is still possible to communicate outwards from it. As long as it has a working NIC the attacker can always work at layer 2 (craft IP packets manually, etc). Or (s)he can just assign the NIC an address in the first place (static or dynamic, whatever the situation calls for). If the box has been compromised you no longer own it.
Back to top
View user's profile Send private message
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Sep 21, 2005 10:58 pm    Post subject: Reply with quote

They was, in fact, a bug in snort a while back, (a year or so IIRC) which allowed exactly this kind of compromise. (might have been in the pcap libraries, which would affect any application using them) You could make up your own cable, which is receive only. That would ensure no traffic can ever be exchanged over the sniffing interface. Which would reduce the possibly attacks on your IDS device to something which could be contained in a single packet, and it would need to be 'self sustaining' .
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register