Wireshark-users: Re: [Wireshark-users] One NIC on public side

Date: Wed, 19 May 2010 16:28:06 -0500
I didn't realize that you could actually send wireshark data which it might be able to intercept and process. I don't want to take any chances and it sounded hazy. Your reply tells me that while it's ok, can be done, still not a good idea. I could use another interface on the firewall but that's getting into unneeded complexities. I think I'll just monitor from inside and use outside only when watching real time.

Thanks for your input on this.

Mike


On Wed, 19 May 2010 22:11:07 +0200, Marc Luethi wrote:
> On Wed, 2010-05-19 at 14:05 -0500, mike@xxxxxxxxxxxx wrote:
> 
>> It was suggested that I take all protocols off of Nic1 which would make
>> it safe to have on the public side.
>> 
> Definitely. That NIC should be as "quiet" as possible, if anyhow
> possible even completely passive.
> 
> 
>> What I'm looking for is input on just how safe this setup is.
>> 
> As long as the Interface is completely passive, has no IP address and no
> services/listeners bound to it, it's a safe start.
> 
> However, Wireshark is a piece of software that processes any data flow
> to and from your firewall, and its protocol dissectors are not immune to
> attacks:
> 
> http://www.wireshark.org/security/
> 
> I do not mean to bash Wireshark or anything, it is truly one great piece
> of software, that helped my employer a great deal (even saved us from
> the spanish inqui... er... the FSA once). But as with all software, bugs
> are there, buffer overflows can happen...
> 
> If I were your security officer, I would support this setup only if the
> capturing system's "inside" interface was moved into a DMZ and Wireshark
> was used by some form of remote desktop functionality.
> 
> 
> regards
> 
> Marc
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe