Rom
The stealth interface hasn't to my knowledge been exploited but as you say
"where there is a wire there's a way".
Personally I'd be willing to accept the risk. However, I'm not the owner
of the networks I look after, therefore it is not my risk to accept. Sadly
those individuals that do own the risk are not always TCP/IP aware, so
trying to convince them that an interface is indeed stealthy, especially
when an IDS can craft resets and insert them on the same interface is a
difficult task. Common Criteria may help convince them that they are
dealing with a sound product -hehe ;o)
The best way I have found to mitigate the risk is by the use of a network
tap, which when inserted inline listens to passing traffic, these are not
always a data diode, ie no transmit. Many cannot demonstrate an airgap on
the transmit pairs as it is done within the circuitry (I work for some
paranoid individuals), and the vendors frequently will not disclose circuit
diagrams. A recent issue was with a tap that was configured such that
resets could still be sent through the tap, this obviously didn't reduce the
risk of a stealthy interface. Though the company concerned provided us with
a 2nd example within days where the transmit could be seen with an airgap.
Hope this helps
take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "r)(o)(m" <nom.de.guerre_at_bonbon.net>
To: <focus-ids_at_securityfocus.com>
Sent: Wednesday, January 08, 2003 2:39 PM
Subject: IDS Stealth Mode
> Retrying this post after 2 days:
> A common deployment configuration of Network IDS is to have 2 NICs;
> Teh monitoring interface in "stealth mode" with no IP
> and
> the "management" interface on a trusted internal network.
>
> My question is:
> Has anyone ever exploited the "stealth" interface to traverse networks?
> Has anyone (else) ever had to defend such a configuration against the
> argument:
> "where there's a wire, there's a way"
> ?
> r)(0)(m
>
>
Received on Jan 11 2003
Intro
