Hi Jeff,
I hope I've understood your question correctly - and if so,
here's a serious problem. Of course you won't *directly* bind
anything to that interface; but what about *other* things that
run on that box that are intended to be on the internal
interface? Many daemons have a default configuration that just
binds to 0, e.g. binds to *every* IP address on the machine.
So you could *easily* end up with something listening on that
DMZ interface without realizing it; especially if multiple
folks have access to the box.
I'd vote for putting a separate box on the DMZ.
If I've misinterpreted your question, just ignore the above :-)
Carol
"Burgess, Jeff" wrote:
>
> Hey,
> I have a question regarding running a NIC card in promiscuous mode
> without any protocols bound to it.
>
> Scenario is, we want to place a "monitoring" machine on our internal
> network to watch things, the idea arose to put a second NIC in the box to
> put in our DMZ (*Sort of like dual homing the machine, but without any
> protocols bound to it*).
>
> Now, being the security "cop" this rose several red flags for me while my
> mind was screaming out "no way in hell!" but I couldn't come up with one
> solid reason as to why not, so they want to go ahead with it.
>
> What I'm looking for from some of you more knowledgeable gurus is a
> reason not to let this happen, or reassurances from you as to why this isn't
> a problem, as my synapses are all screaming at me like spider man!!!
--
Carol Deihl - principal, Shrier and Deihl - mailto:[EMAIL PROTECTED]
Remote Unix Network Admin, Security, Internet Software Development
Tinker Internet Services - Superior FreeBSD-based Web Hosting
http://www.tinker.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
