Hello,
> What security issues arrise if one were to install/run a "sniffer" type
> program on the firewall, or is there a better way to record/capture for
> analysis all traffic that hits the firewall?
The sniffer has to be secure that it is not vulnerablel to buffer overflows
or disk overruns. Especially the second one is not very easy and may easyly
be another source for denial of service attacks. Usually a good firewall
solution should provide you with the necessarry logs without running an
additional sniffer.
If you need an additional sniffer on the firewall be sure to verify the
installation for security, log overflows. Try to make the sniffer run as non
priveleged process. You can make sure that only the external interface is
sniffed. For sniffing your firewall traffic you wont neeed promisc mode for
any of the interfaces. Therefore removing that from kernel may be a good
idea.
I have read about argus (sorry, i have no onlien access in the moment to
look for the url, but use your favorite search engine for it). It's a
sniffing tool wich supports session logs, this means you get og entries for
tcp connections, not for ip packets. Looks pretty need and can handel a lot
of traffic. You can run this tool on a dedicated host in the unsecure net.
Then yo use a simple serial line to tranfer the logs from you sniffer to an
internal host. But I must admit, I havent tested the tool, only looked at
the nice description.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
{inka .
de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes @
irc +4972573817 BE5-RIPE
(O____O) If privacy is outlawed only Outlaws have privacy
References:
|
|
