how about disabling packet forwarding (routing) and shutting down route
daemons, route discovery stuff, all services in inetd daemon, sendmail, and
any access to that machine except for the console?
peter
>From: "Gene Lee" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>, "Craig I. Hagan" <[EMAIL PROTECTED]>
>CC: "Burgess, Jeff" <[EMAIL PROTECTED]>,
>"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: Re: NICs and Protocols
>Date: Mon, 16 Aug 1999 20:26:05 -0400
>
> >From: Chris Brenton <[EMAIL PROTECTED]>
> >To: Craig I. Hagan <[EMAIL PROTECTED]>
> >
> >"Craig I. Hagan" wrote:
> >> however, i wouldn't have the machine bridge to another
> >> network, even with the lead snipped, use the serial port to manage me
>machine,
> >> then there is no risk of packets being leaked.
> >
> >Could you expand on this a bit? I'm not sure under what conditions
> >packets could "leak" when the OS has no protocols bound in order to
> >receive packets let alone decode them and pass them along. An example of
> >how an attacker could do this would be very cool.
>
>[Just thinking out aloud...]
>
>I don't see how packets could leak through an adapter with no protocols
>bound to it, but I can see a potential, if not a bit far-fetched (aren't
>security people supposed to be paranoid?) attack on a "dual-homed" sniffer
>with each NIC on either side of the corporate firewall: what if a
>trojan/virus made it's way onto the monitoring box from the secure side,
>and
>what if that code bound [insert your favorite Internet protocol of choice
>here] to the non-secure sniffing interface? And what if it also turned IP
>forwarding on? Maybe this isn't so far-fetched if someone on the inside
>were
>trying to subvert the firewall by finding another way past it. And in any
>case you'd certainly want to protect the box the monitor is sitting on from
>tampering/probing/etc. esp from the the internal network.
>
>I'd think the risk is lower if you connect to the monitor from a serial
>interface as opposed to a NIC, even though the problem with this as well
>is:
>What if the aforementioned trojan bound a serial protocol (PPP) to both the
>monitor and the serial client?
>
>*sigh* sometimes paranoia gets in the way of productive connectivity...
>
>--
>Gene Lee
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
