|
Firewall Wizards
mailing list archives
Re: tcpdump on my firewall
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Fri, 26 Oct 2001 11:51:57 -0400 (EDT)
On Thu, 25 Oct 2001 hesselsp () ashaman dhs org wrote:
I have had a request to put tcpdump on our firewall by one of our tech
guys.
I have told him that I will not do so, and he wants a good reason why.
a) tcpdump has had root exploits in the past, they will probably come back
up again:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump
use the cve and bigtraq databases. they are your friends in such a time.
b) performance. tcpdump slows down packet processing, among other things,
and on a router/gateway thats a noticable hit.
suggestion: throw a switch in there and use the reflector port to monitor
stuff with a laptop. if you are worried about the laptop getting
compromised while sniffing use tcpdump at layer two. on (at least OpenBSD)
ifconfig ep1 up (note no address given) and start tcpdump -ni ep1 ....
works like a champ.
i hope this helps.
____________________________
jose nazario jose () cwru edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
| 
Intro
