I didn't realize that you could actually send wireshark data which it might be able to intercept and process. I don't want to take any chances and it sounded hazy. Your reply tells me that while it's ok, can be done, still not a good idea. I could use another interface on the firewall but that's getting into unneeded complexities. I think I'll just monitor from inside and use outside only when watching real time.
Thanks for your input on this.
Mike
On Wed, 19 May 2010 22:11:07 +0200, Marc Luethi wrote:
> On Wed, 2010-05-19 at 14:05 -0500, mike@xxxxxxxxxxxx wrote:
>
>> It was suggested that I take all protocols off of Nic1 which would make
>> it safe to have on the public side.
>>
> Definitely. That NIC should be as "quiet" as possible, if anyhow
> possible even completely passive.
>
>
>> What I'm looking for is input on just how safe this setup is.
>>
> As long as the Interface is completely passive, has no IP address and no
> services/listeners bound to it, it's a safe start.
>
> However, Wireshark is a piece of software that processes any data flow
> to and from your firewall, and its protocol dissectors are not immune to
> attacks:
>
> http://www.wireshark.org/security/
>
> I do not mean to bash Wireshark or anything, it is truly one great piece
> of software, that helped my employer a great deal (even saved us from
> the spanish inqui... er... the FSA once). But as with all software, bugs
> are there, buffer overflows can happen...
>
> If I were your security officer, I would support this setup only if the
> capturing system's "inside" interface was moved into a DMZ and Wireshark
> was used by some form of remote desktop functionality.
>
>
> regards
>
> Marc
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
