Snort mailing list archives
Re: firewalling snort machine
From: "Basil Saragoza" <snortlst () hotmail com>
Date: Fri, 22 Feb 2002 13:21:09 -0500
Well, I'lready started with 2 NICs...just one more question - If I don't use R/O cable, then connections can't be established to ip-less nic anywayand I'm secure, right? (Isnt't it a bit too paranoid to use R/Ocable?) ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: "Salisko, Rick" <SaliskoR () ottawapolice ca> Cc: "'McCammon, Keith'" <Keith.McCammon () eadvancemed com>; "Basil Saragoza" <snortlst () hotmail com>; <snort-users () lists sourceforge net> Sent: Friday, February 22, 2002 1:07 PM Subject: RE: [Snort-users] firewalling snort machine
On Fri, 22 Feb 2002, Salisko, Rick wrote:I have tried to get around a similar problem in the past by setting the default gateway of the sensor to the firewall external interface, which,
of
course, is set to deny all such packets. Each time a packet (scan or otherwise) is directed to the sensor ip address, any response it sends
is
sent to the firewall, which reports it as a packet forwarding attack. Other than opening the sensor to a DOS type attack, can anybody see any other blatant holes in this technique ?*puts on his Devil's Advocate hat* Ok.... Lessee... * Depends on how your firewall responds. RST or Drop? * If your firewall is ever 0wned, then so is your sensor. But at that
point,
who cares--You're hosed. * Extra load on firewall. Using a R/O cable and 2 nics, you don't have
to
worry about even firewalling the box. * Single point of failure. If the firewall goes, so does your sensor.
But
that could also be a moot point. * You only see what the firewall passes. You don't see what's hitting
the
DMZ/Outside. And if you think your users can't get around your
firewall....
* Do you trust your firewall admins? (Many companies they aren't the
same as
the IDS folks.) Again, those the reasons that I would be paranoid about it. But then
again,
YOU are out to get me aren't you? ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: firewalling snort machine, (continued)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Erek Adams (Feb 21)
- Re: firewalling snort machine dr . kaos (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- RE: firewalling snort machine Sean T. Ballard (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Saad Kadhi (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- RE: firewalling snort machine McCammon, Keith (Feb 21)
- RE: firewalling snort machine Semerjian, Ohanes (Feb 21)
- RE: firewalling snort machine Salisko, Rick (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine McCammon, Keith (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Salisko, Rick (Feb 25)