Snort mailing list archives
Re: Snort-Machine = Security Hole?
From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Wed, 11 Jul 2001 10:13:28 -0400
On Wed, Jul 11, 2001 at 01:39:21PM +0200, Thorsten Ziegler wrote:
Hi out there... during the last days, i've intensively explored snort and it's features - and then recognized problem i was not able to find any existing solutions... Given the location of a snort-box between the boarder router and the outer firewall - i'm aware of the security risk such a machine is creating according to the local security policy - so i decided to use the sentry-cd package and to create a diskless sniffer-station - so it's hard to compromise the machine. Next step was removing the IP of the machine (it was an private IP out of the transfer net between the router and the outer firewall). So now i'm having the problem how to bring the logging-information back in to my logging server - a second nic with a connection to the logging-server would make the cole use of the firewall obsolete - a direct link around the firewall, damnit. I'm not trusting the fact that the machine isn't able to reach from the outside without an IP... but what possibilities do i have? At first, i was thinking of syxslog-udp packets one way thorugh the firewall, a security risk less far then opening an interactive tcp-session through the firewall. But now i'm having the problem, that syslog.messages are kinda useless if i'm trying to figure out if there's an false or true security breach: i'm needing the hole packet dump - but logging to an mysql would require the establishment of an interactive TCP session from outside our firewall - i'm not glad about this idea. How did you solve this problem?
Maybe: Second nic, with IPSec on both the snort and syslog/mysql, through the firewall. Ramin
I've also created an one-way utp-cable, but that doesn't look very nice in the corporate switchboard... Any suggestions are welcome.. Greetings, ZiG -- Security by obscurity
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-Machine = Security Hole? Thorsten Ziegler (Jul 11)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)
- Re: Snort-Machine = Security Hole? barre (Jul 11)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- <Possible follow-ups>
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
(Thread continues...)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)