View previous topic :: View next topic |
Author |
Message |
hcclnoodles Just Arrived
Joined: 08 Dec 2004 Posts: 0
|
Posted: Wed Sep 21, 2005 1:32 pm Post subject: can an interface with no ip address be compromised ? |
|
|
Hi there
I am configuring an IDS with snort in a DMZ. There will also be a web server box in the DMZ aswell. I have set the snort box up with 2 NICS, one will be set up in promiscuous mode with no IP addressing just listening to traffic coming through the firewall and coming from the webserver and the other a standard addressed interface which will be on a private management network (this nic will be used for alerts/logs/management of snort etc)
My question is if someone was to compromise the web server and sniff the network they would discover ARP packets coming from the promiscuous NIC. Can a NIC that has no IP addressing/layer 3 addressing be compromised ? are there any hacking tools that would enable them to get through a card with no address and out onto my management LAN ??
my initial thought was that a NIC has to have at least some layer 3 addressing for it to be hackaable ? but i need to clarify
any help on this would be greatly appreciated
Gary
|
|
Back to top |
|
|
moondoggie Lurker
Joined: 27 May 2005 Posts: 19
|
Posted: Wed Sep 21, 2005 5:13 pm Post subject: |
|
|
there is always the physical threat of someone actually walking up to the computer and trying to get in that way...
|
|
Back to top |
|
|
MattA Trusted SF Member
Joined: 13 Jun 2003 Posts: 16777193 Location: Eastbourne + London
|
Posted: Wed Sep 21, 2005 5:36 pm Post subject: Re: can an interface with no ip address be compromised ? |
|
|
hcclnoodles wrote: |
I have set the snort box up with 2 NICS, one will be set up in promiscuous mode with no IP addressing just listening to traffic coming through the firewall and coming from the webserver and the other a standard addressed interface which will be on a private management network (this nic will be used for alerts/logs/management of snort etc)
|
So it does have a NIC with an IP on it. That'll be a yes then. It just means someone has to comrpomise a machine on your NAT'd network in order to be able to get to it, and that's easier than you think.
A few Banks I know use this same setup, whilst strictly many people say your IDS should be on a bridge and not have an IP it's not practical because of the difficulty with remote management , I mean if you have 20 IDS's how do you manage them if they are all on bridges.
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Wed Sep 21, 2005 5:41 pm Post subject: Re: can an interface with no ip address be compromised ? |
|
|
hcclnoodles wrote: |
Can a NIC that has no IP addressing/layer 3 addressing be compromised ? |
As long as there is data arriving to the NIC and something reading that data, there is always the possibility of a compromise. Layer 2, 3 or whatever has no bearing into it other than imposing greater or smaller restrictions on the path the data traverses (and as such the amount of things that could potentially be exploited).
There might be a bug in the sniffer itself, for example, which could be exploited by a skilled attacker by feeding it carefully crafted frames. Or there could be a bug in the NIC's driver. And so on.
Of course this is all going into the realm of possibilities now, but it is not something to be neglected. Sniffers, drivers and the likes are man-made software like anything else and are just as subject to bugs.
Likewise, once a system is compromised, regardless of whether it has a NIC with a layer 3 address or not, it is still possible to communicate outwards from it. As long as it has a working NIC the attacker can always work at layer 2 (craft IP packets manually, etc). Or (s)he can just assign the NIC an address in the first place (static or dynamic, whatever the situation calls for). If the box has been compromised you no longer own it.
|
|
Back to top |
|
|
tutaepaki Trusted SF Member
Joined: 02 May 2002 Posts: 3 Location: New Zealand
|
Posted: Wed Sep 21, 2005 10:58 pm Post subject: |
|
|
They was, in fact, a bug in snort a while back, (a year or so IIRC) which allowed exactly this kind of compromise. (might have been in the pcap libraries, which would affect any application using them) You could make up your own cable, which is receive only. That would ensure no traffic can ever be exchanged over the sniffing interface. Which would reduce the possibly attacks on your IDS device to something which could be contained in a single packet, and it would need to be 'self sustaining' .
|
|
Back to top |
|
|
|