TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
George et al:
The TCP RST packets ARE generated by the "stealth" NIC, since that is the
NIC on the monitored network. Since the IP/MAC address information is
available to RS from BOTH ends of the suspect TCP session, RS builds TWO
spoofed TCP RST packets using the IP/MAC information and sends each end of
the suspect TCP session a TCP RST that purports to come from the other end
of the session. Therefore, each end of the session being RSTed believes the
other end called off the conversation. These TCP RST packets are the ONLY
output ever issued by the stealth NIC. All other responses that require
communication are generated by the "reporting" NIC and sent to the network
on which the monitoring RS Console is placed. If that network has no exit
point for SNMP/SMTP/pagers/etc, then you have an "out-of-band" network,
which is more secure BUT you loose the ability to use the SMTP/SNMP/pager
responses.
James R Lindley
Anomaly Detection Xpert
X-Force Surveillance and Response Unit
Managed Security Services
Internet Security Systems Inc
Vox: 678-443-6323
Fax: 678-443-6482
An unquenchable thirst for Pierian Waters.
Internet Security Systems - The Power To Protect.
-----Original Message-----
From: George Milliken [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 6:57 PM
To: Mark S. Velasquez
Cc: [EMAIL PROTECTED]
Subject: Re: **RealSecure 5.0 & E-Mail Alerts**
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
For that matter, how do TCP RS KILLs happen across the "secure" stealth
interface?
We have puzzled on this much recently. We assume the emails go out
over the internal interface but I have not verified that via sniffer.
But, how do the resets happen??? There is not guarentee that the
internal interface can route packets back to the stealth (outside) side
of the network.
Anybody got a clue?
"Mark S. Velasquez" wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>
----------------------------------------------------------------------------
>
> I've installed RealSecure 5.0. The Network Sensors are installed on
> Sparc Solaris 7.0 platforms with the monitoring interface in stealth
> mode( no IP assigned to it, no arp, etc.), and a second interface on a
> private Network to the monitoring Console.
>
> My question concerns E-Mail Responses. I'd assumed that the monitoring
> console sent them. From reading the manual it appears that the Network
> Sensor sends them...if so how is this supposed to work in a secure
> setup( it cant' send via the stealth-configured interface... and the
> other interface connects directly to the Monitoring Console. ).
>
> How is everyone else sending E-Mail responses/alerts in a secure
> configuration ?
>
> TIA
>
> Mark
--
Regards,
George Milliken
---------------------------------
farm9, Inc.
Online Intrusion Prevention 24x7
http://www.farm9.com
---------------------------------
