RE: firewalling snort machine

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

To follow up the previous response, you WANT two interfaces.  If I can
find out the IP address of your sensor, I can attempt to interfere
and/or disable the system at that address.  Or, even worse, I can
attempt to flat out compromise the system!  So instead, we use a second
interface without an IP address, so that simply knocking down the box is
not an option for an attacker.  Then you use the other interface (with
an IP) on an unreachable, internal network for system management.

To answer your follow-up questions:

1) I would highly recommend that you rethink this.  It is generally
considered to be a VERY BAD practice to make your most critical security
systems available to the outside world.  You just don't do it.  Use an
internal interface for management.  Your sensor should never be visible,
in any fashion, to the outside world.  It should see without being seen.

2) You could, and it would not affect Snort's operation.  However, I
recommend that you read item 1.

Cheers

Keith

-----Original Message-----
From: Basil Saragoza [mailto:snortlst () hotmail com]
Sent: Thursday, February 21, 2002 4:36 PM
To: Erek Adams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] firewalling snort machine


Maybe I miss something here, but:
1.I  want to be able to that machine over the internet to connect via
https.
2. Why can't I just firewall it and leave only 443 open?
m/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users