1 |
On Saturday 15 December 2007, reader@×××××××.com wrote: |
2 |
> Randy Barlow <randy@×××××××××××××××××.com> writes: |
3 |
> > reader@×××××××.com wrote: |
4 |
> >> I mean if |
5 |
> >> you connect it to any machine in the diagram or elsewhere wouldn't you |
6 |
> >> be exposing that machine to the unfiltered internet? |
7 |
> > |
8 |
> > I think that's the idea here - to see the difference between the two |
9 |
> > sides of the router. |
10 |
> |
11 |
> If that is the case then I guess I don't see how the quote below |
12 |
> applies. From Mick in his initial reply: |
13 |
> > A rather simpler solution to do this would be to get hold of hub, |
14 |
> > connect it to the firewall and watch everything that passes through |
15 |
> > it. |
16 |
|
17 |
Your network diagram in the previous post is exactly what I was thinking and |
18 |
proposing. What you are not showing is the link from your gentoo box to the |
19 |
hub. Then you capture that packets that flow through with a suitable |
20 |
application. Have a look at the penultimate diagram at the bottom of this |
21 |
page: |
22 |
|
23 |
http://www.mynetwatchman.com/pckidiot/ethernet.htm |
24 |
|
25 |
> I relize you are not who made the reply I quote above but: |
26 |
> |
27 |
> If you still have to come up with a hardened interface to the hub then |
28 |
> how is it simpler? |
29 |
|
30 |
I am not totally convince that a 'particularly' hardened interface is |
31 |
necessary. A second NIC with suitable firewall rules, or a virtual NIC on |
32 |
ntop should suffice for you to capture the packets flowing through the hub |
33 |
into a log file. You could even go as far as creating VLANs to seperate the |
34 |
two, but I am not sure that this is necessary. I mean it is not as if you |
35 |
are going to create a bridge between a trusted interface and this hub facing |
36 |
interface, right? Of course you would not be running e.g. tcpdump as root in |
37 |
real time so the risk of exposure (as I understand it in this context) is |
38 |
minimal, but others may want to comment. nprobe or fprobe could capture the |
39 |
packets both on the Gentoo machine and on a WinXP machine and save them on |
40 |
file(s), and/or send them to ntop as NetFlow . Perhaps others can comment |
41 |
further on similar suitable software and ways to set all this up. |
42 |
|
43 |
> Further, since the router is switched then you'd really need two hubs. |
44 |
> One on each side, if the aim were to compare what is coming and what is |
45 |
> getting thru. So we're getting further and futher away from `rather |
46 |
> simpler' |
47 |
|
48 |
Sure, you can add a second hub and so increase complexity, or use nprobe or |
49 |
the log files of the machines on the LAN side to see what actually gets |
50 |
through. I am not sure if you want to run this long term and automate all of |
51 |
this capture and reporting into graphical formats (e.g. using rddtool), set |
52 |
up a dedicated machine just for this purpose, or if you just want to test |
53 |
particular connections in an ad hoc fashion to see why/how particular |
54 |
connections behave. |
55 |
|
56 |
> Come up with the hardened interface and forget the hub[s]. As I said |
57 |
> my router offers to send all the bounced traffic to a designated DMZ. |
58 |
> |
59 |
> I am probably not interested enough right now to build up a whole |
60 |
> different machine to talk to the hub or be the DMZ. So if you are |
61 |
> pretty convinced doing it from a VMgentoo appliance running on one of |
62 |
> the win boxes then I'll probably just keep fiddling around with the |
63 |
> logs produced by the router. |
64 |
> ... Thanks |
65 |
|
66 |
I just saw the installation of vmware and the generation of a virtual image as |
67 |
more involved than what I suggest above. Using the raw logs from the router |
68 |
and filtering/sorting these through a spreadsheet would probably make them |
69 |
easier to read. Anyway, what ever works better/easier for you. |
70 |
-- |
71 |
Regards, |
72 |
Mick |