|
Firewall Wizards
mailing list archives
Re: tcpdump on my firewall
From: Chad Schieken <cschieken () lucent com>
Date: Fri, 26 Oct 2001 15:25:12 -0400
I agree with Fred that this is a policy issue, but I also see a few other
view points:
1. this is an invaluable troubleshooting tool. It's helped me develop a
detailed understanding of poorly documented transactions/protocols in many
situations.
2. The risk of having the software on the box, can be mitigated pretty
well. File permissions can be setup so only root can execute (or even read)
tcpdump. Also permissions can be created on the devices to restrict access
as well -- although that's a complicated step with lot's of implications.
Buffer overflow exploits aside, other similar steps can be taken, such that
it boils down to the only if some one has root access *before* they can run
tcpdump. :
I'm not trying to downplay the risks of the buffer overflow exploits,
but that risk is minimized by only running TCP for short periods to do
specific tasks. The window of exposure in this case can be quite managable.
3. in some environments it's alot easier to do this type of sniffing using
tcpdump, vs. installing dedicated sniffers in the network.
All of this begs the question, to the original poster -- why did you reject
the request in the first place? Certainly the case can be made either way,
and every environment is different.
At 12:57 PM 10/26/2001, Frederick M Avolio wrote:
At 02:51 PM 10/25/01 -0400, hesselsp () ashaman dhs org wrote:
Anyone want to help me out here?
I have had a request to put tcpdump on our firewall by one of our tech
guys.
I have told him that I will not do so, and he wants a good reason why.
HE wants a good reason why? HE?
Your security policy should cover this (and probably doesn't). Everything
you add on a firewall makes it more complex. Complexity and security are
inversly proportional. But wait! He doesn't have a user account on the
firewall does he? No one should except the firewall admin, and that should
be tightly controlled. The good reason is you don't add things on the
firewall unless there is no other way to do what needs to be done, and
then only if it is a business requirement (not a desire).
Push right back and ask him for a requirement not a solution. What does he
want to do? He probably wants to monitor packets on the outside network
(or maybe on both). I can think of more than one way to accomplish this
that doesn't require putting anything new on the firewall.
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
Re: tcpdump on my firewall Greg Poirier (Oct 26)
|
Intro
