Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort and ipchains

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 08 Jan 2003 11:38:21 -0500
At 03:17 PM 1/7/2003 -0600, you wrote:
I, for one, am on the 'every little bit helps' list. Any device may fail/be exploited/be misconfigured. Its all about layers. If I'm going to have snort alert, why not have it interfere also? Obviously I plan on thinking worst case and configure all devices accordingly (so they might last ten seconds if there were no firewall at all), but for the price why not try and leverage snort also?
Actually, your reasoning is exactly why I oppose letting snort modify the firewall... "any device may fail/be exploited/be misconfigured" includes my snort box. I favor isolating the failure of the two systems (the snort box and the firewall box) so that a failure or exploit of one does not imply failure of both. auto-configuring a firewall from a snort box means that should the snort box be exploited, it's game-over for your firewall, since the snort box has the power to reconfigure the firewall and the attacker can now just re-do it as a "wide-open".
It's all about layers... isolated layers that fail independently and not in giant cascades, but that's really a matter of different security philosophies.
There's also an argument that "if you know about an attack and can detect it, you should already be immune" but I tend not to favor that argument against auto-firewall-snort setups. Let's face it, most attackers tend to use a variety of attacks and may start off with some common old attacks before trying fancy stuff. Blocking them off as soon as they try anything is worthwhile in protecting you against the "fancy stuff".
I guess the "best" case is to have a fixed-config firewall out front, with an inline-snort box behind it doing dynamic blocking on a second firewall. This way the firewall on the snort box is only an "extra" layer that is not a single-point-of-failure for your networks firewall. I can definitely see the "every bit helps" argument if you have the resources to set up a dual-firewall environment.
I'd certainly make sure there's some very careful consideration of what happens to your network if the snort box is hacked, and make sure it remains secure even if that box is exploited. I prefer to be able to prove that hacking it is impossible or worthless (ie: if the snort box cannot send data to any network because it's only connected by a one-way-tap, exploiting it is most likely impossible, the best you could likely do is a DoS of some form that only affects the snort box.) 







-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: