Snort mailing list archives
Re: firewalling snort machine
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 22 Feb 2002 10:40:13 -0800 (PST)
On Fri, 22 Feb 2002, Basil Saragoza wrote:
Well, I'lready started with 2 NICs...just one more question - If I don't use R/O cable, then connections can't be established to ip-less nic anywayand I'm secure, right? (Isnt't it a bit too paranoid to use R/Ocable?)
Paranoia is just that. Taking things to the extreme "just in case." For me, the R/O cable is a 'normal' or 'standard'. The following snippet gives most of my reasons:
BUT--Just to be overly paranoid, use a R/O cable on the connection that doesn't have an IP. Just because there isn't a way to exploit it that is currently known, does _not_ mean there isn't one. Consider this: Standard OSI model has 7 layers. IP is Layer 3, physical is Layer 1. If you stop them at Layer 1, there's even less risk than ever.
Once you start to play with ARP spoofing and MITM attacks, you realize how INSECURE the lower OSI layers are. At layer 2 there is almost no way to verify who sent what. ARP is at layer 2.... I could ARP your snort box if I was on the same wire. Then I would know something is there with an IPless interface. Then I could start a ARP spoof against it once I was able to obtain it's MAC. Now, I get all packets that it's supposed to get/see, and then I could pass them onto it as I see fit. But no one would ever do something that evil now would they? ;-) Hey, when you lived less than a mile from the NSA at Ft. Meade and then see "Enemy of the State" you just become a _tiny_ bit more paranoid. ;-) If it's a management reason for not using the R/O cable, explain the cable would cost about $10-$20 USD to make. Then compare that to the value of "Company Secrets". I'd guess that the "Company Secrets" are worth a bit more... Again, Use what _works_ for _you_! These are my opinions, and nothing more. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: firewalling snort machine, (continued)
- Re: firewalling snort machine Erek Adams (Feb 21)
- Re: firewalling snort machine dr . kaos (Feb 22)
- RE: firewalling snort machine Sean T. Ballard (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Saad Kadhi (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- RE: firewalling snort machine McCammon, Keith (Feb 21)
- RE: firewalling snort machine Semerjian, Ohanes (Feb 21)
- RE: firewalling snort machine Salisko, Rick (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine McCammon, Keith (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Salisko, Rick (Feb 25)