| 1 |
On Saturday 15 December 2007, reader@×××××××.com wrote: |
| 2 |
> Randy Barlow <randy@×××××××××××××××××.com> writes: |
| 3 |
> > reader@×××××××.com wrote: |
| 4 |
> >> I mean if |
| 5 |
> >> you connect it to any machine in the diagram or elsewhere wouldn't you |
| 6 |
> >> be exposing that machine to the unfiltered internet? |
| 7 |
> > |
| 8 |
> > I think that's the idea here - to see the difference between the two |
| 9 |
> > sides of the router. |
| 10 |
> |
| 11 |
> If that is the case then I guess I don't see how the quote below |
| 12 |
> applies. From Mick in his initial reply: |
| 13 |
> > A rather simpler solution to do this would be to get hold of hub, |
| 14 |
> > connect it to the firewall and watch everything that passes through |
| 15 |
> > it. |
| 16 |
|
| 17 |
Your network diagram in the previous post is exactly what I was thinking and |
| 18 |
proposing. What you are not showing is the link from your gentoo box to the |
| 19 |
hub. Then you capture that packets that flow through with a suitable |
| 20 |
application. Have a look at the penultimate diagram at the bottom of this |
| 21 |
page: |
| 22 |
|
| 23 |
http://www.mynetwatchman.com/pckidiot/ethernet.htm |
| 24 |
|
| 25 |
> I relize you are not who made the reply I quote above but: |
| 26 |
> |
| 27 |
> If you still have to come up with a hardened interface to the hub then |
| 28 |
> how is it simpler? |
| 29 |
|
| 30 |
I am not totally convince that a 'particularly' hardened interface is |
| 31 |
necessary. A second NIC with suitable firewall rules, or a virtual NIC on |
| 32 |
ntop should suffice for you to capture the packets flowing through the hub |
| 33 |
into a log file. You could even go as far as creating VLANs to seperate the |
| 34 |
two, but I am not sure that this is necessary. I mean it is not as if you |
| 35 |
are going to create a bridge between a trusted interface and this hub facing |
| 36 |
interface, right? Of course you would not be running e.g. tcpdump as root in |
| 37 |
real time so the risk of exposure (as I understand it in this context) is |
| 38 |
minimal, but others may want to comment. nprobe or fprobe could capture the |
| 39 |
packets both on the Gentoo machine and on a WinXP machine and save them on |
| 40 |
file(s), and/or send them to ntop as NetFlow . Perhaps others can comment |
| 41 |
further on similar suitable software and ways to set all this up. |
| 42 |
|
| 43 |
> Further, since the router is switched then you'd really need two hubs. |
| 44 |
> One on each side, if the aim were to compare what is coming and what is |
| 45 |
> getting thru. So we're getting further and futher away from `rather |
| 46 |
> simpler' |
| 47 |
|
| 48 |
Sure, you can add a second hub and so increase complexity, or use nprobe or |
| 49 |
the log files of the machines on the LAN side to see what actually gets |
| 50 |
through. I am not sure if you want to run this long term and automate all of |
| 51 |
this capture and reporting into graphical formats (e.g. using rddtool), set |
| 52 |
up a dedicated machine just for this purpose, or if you just want to test |
| 53 |
particular connections in an ad hoc fashion to see why/how particular |
| 54 |
connections behave. |
| 55 |
|
| 56 |
> Come up with the hardened interface and forget the hub[s]. As I said |
| 57 |
> my router offers to send all the bounced traffic to a designated DMZ. |
| 58 |
> |
| 59 |
> I am probably not interested enough right now to build up a whole |
| 60 |
> different machine to talk to the hub or be the DMZ. So if you are |
| 61 |
> pretty convinced doing it from a VMgentoo appliance running on one of |
| 62 |
> the win boxes then I'll probably just keep fiddling around with the |
| 63 |
> logs produced by the router. |
| 64 |
> ... Thanks |
| 65 |
|
| 66 |
I just saw the installation of vmware and the generation of a virtual image as |
| 67 |
more involved than what I suggest above. Using the raw logs from the router |
| 68 |
and filtering/sorting these through a spreadsheet would probably make them |
| 69 |
easier to read. Anyway, what ever works better/easier for you. |
| 70 |
-- |
| 71 |
Regards, |
| 72 |
Mick |
Archives