One suggestion that I recall from a very old paper (either "There Be Dragons" by Steven M. Bellovin 1992 or "An Evening with Berferd ..." by Bill Cheswick 1991 (likely *the* original honey pot!)) talk of cutting the transmit wires on any sensors that you use. I am not sure if this is still workable on today's switches, but it may be with the right settings on the port...
Steve Vawter UNIX SYSTEM ADMINISTRATOR Zone Labs, Inc. 1060 Howard Street San Francisco CA 94103 ph 415-341-8323 fax 415-341-8299 cell 510-409-9184 pager 877-933-0549 -----Original Message----- From: ash [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 8:40 PM To: Skokan, Paul Cc: '[EMAIL PROTECTED]' Subject: Re: Host Security Skokan, Paul wrote: >I am running some FreeBSD boxes as various network monitoring hosts. The hosts have multiple interfaces on them sniffing different network segments. The hosts have one management interface with an IP address assigned to the interface and the other ethernet interfaces do not have IP address assigned. I am wondering if there are any vulnerabilities with having one of these monitoring interfaces sit on a public network. Can the hosts be hacked at all on the monitoring interface without an IP address...If so, how? > >Paul > Thats a really good question. The only way I can see it hapening is if either the NIC's broadcast any info over the network, a internel user knowing the MAC addresses and crawling their way in that way, or possibly scanning for NIC's in promiscous mode. Ash
