Disclaimer: I know this project goes against all good security
architecture, but what I am looking for is a risks analysis and assessment,
as opposed to a blanket "Don't know why, but don't do it".
I am in the middle of playing with IDS and due to hardware constraints, I am
planning on running a temporary multi-homed IDS on my test lab, where one
NIC is connected to the internet and the other NIC on the intranet (which
provides a potential by-pass around the multi-homed firewall I have running
parallel to it).
This box is OpenBSD 2.6, and the reason why it's temporarily multi-homed is
because it's my SAMBA (2.0.6) file server right now. What I plan on doing is
not assigning an IP address to the new Internet NIC, disabling IP
forwarding, putting IP filters on the intranet NIC (can't do it on the
Internet NIC, because then the IDS won't see packets) and isolating all
services (via xinetd 2.1.8.8p1) from that adapter. I'll be researching tools
like enhanced tcpdump tools, snort, dragon, etc., so they will be packet
sniffer-based.
Again, I know the risks of a compromise will expose my internal network, but
once testing is finished (and I can muster up a budget) I plan on deploying
a single-homed dedicated IDS machine with no IP access and administration
done only through the serial port.
The current problem is that I need to make sure there is no leakage of
internal traffic through the Internet NIC. I also need to be assured that
the NIC does not inadvertently respond to broadcast traffic despite it not
having an IP address. Does anyone know of any way anyone can make this box
respond from the Internet using my configuration? Any other hardening
techniques to make this more secure in this temporary configuration?
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
