Jim Ray wrote:
This is sort of like what I had in mind, although for simplicity I'd
probably just bring up a temporary IP address on the internal interface,
and send the warning from there. Unless that 3rd NIC was on a separate
network (unlikely) then it probably wouldn't make much difference from a
security stand point if it were the nic passing all of the traffic, or a
different nic on the same subnet. As an added benefit (if you have
enough addresses) you might bring up that nic with a random IP address,
from a small range of say 3 or 4, to make it a little harder to predict
an address you'd be able to attach to that belongs to the firewall.
Snort for network ID and something like your hidden partition
suggestion, or even Samhain or Tripwire would work well for local ID.
It's just something we didn't go to the trouble to implement, given the
box's complete lack of direct network accessibility.
Aaron S. Joyner
[Jim Ray sez:] dude...we need to get you over here for one of our special
topics/beer labs.
Well, you won't lure me in with the Beer, but you might try V8 Splash or
Chocolate. :)
Aaron S. Joyner
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
