Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Firewall Wizards: RE: tcpdump on my firewall

RE: tcpdump on my firewall

From: Ames, Neil <NAmes_at_anteon.com>
Date: Fri, 26 Oct 2001 13:18:14 -0400

Three things come to mind:
1) What do the security policy, security guidelines, or security procedures
for your site say should or should not be on your firewall?
2) You want as little running on your firewall as possible. The more code
that you have running on it the more vulnerable you are.
3) You can run tcpdump on another machine. Dredge up a machine that nobody
wants on their desktop. Get two while you're at it-so that you can watch
both sides of your firewall...

Thank you,

Fritz Ames

-----Original Message-----
From: Jose Nazario [mailto:jose_at_biocserver.BIOC.cwru.edu]
Sent: Friday, October 26, 2001 11:52 AM
To: hesselsp_at_ashaman.dhs.org
Cc: firewall-wizards_at_nfr.com
Subject: Re: [fw-wiz] tcpdump on my firewall

On Thu, 25 Oct 2001 hesselsp_at_ashaman.dhs.org wrote:

> I have had a request to put tcpdump on our firewall by one of our tech
> guys.

> I have told him that I will not do so, and he wants a good reason why.

a) tcpdump has had root exploits in the past, they will probably come back
up again:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump

use the cve and bigtraq databases. they are your friends in such a time.

b) performance. tcpdump slows down packet processing, among other things,
and on a router/gateway thats a noticable hit.

suggestion: throw a switch in there and use the reflector port to monitor
stuff with a laptop. if you are worried about the laptop getting
compromised while sniffing use tcpdump at layer two. on (at least OpenBSD)
ifconfig ep1 up (note no address given) and start tcpdump -ni ep1 ....
works like a champ.

i hope this helps.

____________________________
jose nazario jose_at_cwru.edu
                     PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 26 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]