>From: Chris Brenton <[EMAIL PROTECTED]>
>To: Craig I. Hagan <[EMAIL PROTECTED]>
>
>"Craig I. Hagan" wrote:
>> however, i wouldn't have the machine bridge to another
>> network, even with the lead snipped, use the serial port to manage me
machine,
>> then there is no risk of packets being leaked.
>
>Could you expand on this a bit? I'm not sure under what conditions
>packets could "leak" when the OS has no protocols bound in order to
>receive packets let alone decode them and pass them along. An example of
>how an attacker could do this would be very cool.
[Just thinking out aloud...]
I don't see how packets could leak through an adapter with no protocols
bound to it, but I can see a potential, if not a bit far-fetched (aren't
security people supposed to be paranoid?) attack on a "dual-homed" sniffer
with each NIC on either side of the corporate firewall: what if a
trojan/virus made it's way onto the monitoring box from the secure side, and
what if that code bound [insert your favorite Internet protocol of choice
here] to the non-secure sniffing interface? And what if it also turned IP
forwarding on? Maybe this isn't so far-fetched if someone on the inside were
trying to subvert the firewall by finding another way past it. And in any
case you'd certainly want to protect the box the monitor is sitting on from
tampering/probing/etc. esp from the the internal network.
I'd think the risk is lower if you connect to the monitor from a serial
interface as opposed to a NIC, even though the problem with this as well is:
What if the aforementioned trojan bound a serial protocol (PPP) to both the
monitor and the serial client?
*sigh* sometimes paranoia gets in the way of productive connectivity...
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
