IDS mailing list archives
RE: IDS interface setup
From: Paul Schmehl <pauls () utdallas edu>
Date: 03 Apr 2003 16:17:49 -0600
On Thu, 2003-04-03 at 09:18, Miller, Joe wrote:
In the process of setting up a IDS box in the DMZ. The box has 3 interfaces.
2 interfaces are to run in promiscuous mode, 1 interface is to be used for
management (non-promiscuous mode). The DMZ is sandwiched between firewalls. Question: What would be more secure, putting the management interface on the
internal VLAN, or the DMZ VLAN?
Flip a coin. Seriously. There's good arguments for either arrangement, and the most critical feature is how you configure the host anyway. Shut down *everything*. You shouldn't even need inetd running. No rpc, no portmap, no nfs services, no autofs, no rawdevices, etc., etc. (Some of these obviosly depend on what OS you're running.) All you need to run is the sensor, sshd, a firewall and tcpwrappers. Look down the mgmt interface with the firewall. It doesn't even need to respond to pings. And protect sshd with tcpwrappers. I don't think you need to worry about the promiscuous interfaces. If someone can hack a box through those, it wouldn't matter what defenses you have in place. They're too good to be deterred. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- RE: IDS interface setup Miller, Joe (Apr 03)
- RE: IDS interface setup Paul Schmehl (Apr 03)