Snort mailing list archives
Re: Snort-Machine = Security Hole?
From: barre <barre () chello be>
Date: Fri, 12 Jul 2002 06:09:13 +0200
Hello, What I should do is first and for all place the one-way utp cable. Maybe it isn't nice, but it might be secure ... Configure ipfilter and iptable on the management interface and the sniffing interface as well. Only accept connections to your sql-server from you snort machine. Only allow incoming ssh to your snort from your administrative station. You could also manage the box with a serial cable, connected to an other machine. barre Ramin Alidousti wrote:
On Wed, Jul 11, 2001 at 01:39:21PM +0200, Thorsten Ziegler wrote:Hi out there... during the last days, i've intensively explored snort and it's features - and then recognized problem i was not able to find any existing solutions... Given the location of a snort-box between the boarder router and the outer firewall - i'm aware of the security risk such a machine is creating according to the local security policy - so i decided to use the sentry-cd package and to create a diskless sniffer-station - so it's hard to compromise the machine. Next step was removing the IP of the machine (it was an private IP out of the transfer net between the router and the outer firewall). So now i'm having the problem how to bring the logging-information back in to my logging server - a second nic with a connection to the logging-server would make the cole use of the firewall obsolete - a direct link around the firewall, damnit. I'm not trusting the fact that the machine isn't able to reach from the outside without an IP... but what possibilities do i have? At first, i was thinking of syxslog-udp packets one way thorugh the firewall, a security risk less far then opening an interactive tcp-session through the firewall. But now i'm having the problem, that syslog.messages are kinda useless if i'm trying to figure out if there's an false or true security breach: i'm needing the hole packet dump - but logging to an mysql would require the establishment of an interactive TCP session from outside our firewall - i'm not glad about this idea. How did you solve this problem?Maybe: Second nic, with IPSec on both the snort and syslog/mysql, through the firewall. RaminI've also created an one-way utp-cable, but that doesn't look very nice in the corporate switchboard... Any suggestions are welcome.. Greetings, ZiG -- Security by obscurity_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-Machine = Security Hole? Thorsten Ziegler (Jul 11)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)
- Re: Snort-Machine = Security Hole? barre (Jul 11)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- <Possible follow-ups>
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
- RE: Snort-Machine = Security Hole? Dan Hollis (Jul 13)
(Thread continues...)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)