Snort mailing list archives
Re: Snort with three interfaces attached to diferent network segment
From: Bennett Todd <bet () rahul net>
Date: Wed, 18 Jun 2003 15:38:29 -0400
2003-06-18T14:02:53 artiman () cable net co:
I just have one machine to monitor the activity on three diferent network segments (Redhat 9), so I plan to to install 3 NIC on the snort machine, setup the interfaces on promiscous mode without IP information and start to listen each segment, [...]
Not too atypical a setup. Many of us would have N+1 interfaces, so we could have a numbered interface for remote management and for emitting alerts; this one might live on a fairly tightly secured admin LAN segment in the firewall plant.
[...] I'm kinda worried for the security implications because I'm creating a physcial path between the Internet, DMZ and MZ zones, so in theory there is a small probablity of bypass the Firewall using the snort machine.
Yup. Snort has had security problems in previous versions, which might have been in principle exploitable (I don't know if any of 'em ever got exploits actually coded and used in the wild), and if an attacker could (a) craft an exploit, (b) arrange to deliver it across one of your snorting interfaces, and (c) have the payload either set up a remote-control connection of some sort back, or mount additional attacks outbound, your scenario would come to pass. Linux's routing code won't route packets out an unnumbered interface, but in theory the payload could include libnet or something like it to send packets out a raw interface bypassing the normal OS networking code.
Can somebody explain what is the risk that I'm facing using this architecture, How can I make sure 100% that the Linux will not route packet between different segments, In wich ways a Hacker can exploit my network ???
Many of us would rate this risk as quite low, since a successful breach would require a pretty big payload, but the possibility can't be ruled out in theory. The risk can be further lowered by making sure you use some appropriate software configuration management strategy --- I favour rpm packaging myself --- to simplify automating updating your software, and aggressively tracking and deploying security bugfixes; as long as such bugs are discovered by whitehats and fixes shipped before exploits make it into the wild, you can avoid getting burgled. But if you want to reduce the risk right down to zero, 100% perfect guaranteed security, the choice I'd recommend is network taps. There are many vendors, I haven't heard anybody say anything bad about any of 'em, I've personally worked with Netoptics gear, and been pleased both by their product and by their support. Taps aren't that expensive, and they make it truly impossible for a compromised piggie to send packets back out onto these DMZs you're touching. Other hacks could make such an exploit harder to the point of being completely improbable; e.g. a modification to the kernel to prohibit sending over these interfaces. This would require an additional level of work for an exploiter to get around the barrier. Combined with running snort as a non-root user, and you'll force the attacker's exploit payload to exploit some local root bug to escalate privs enough to then bypass your OS mod. Chroot the snort and that's vastly harder, if not impossible. Strip suid bits off every program on the system and ensure that no files outside snort's logdir are writeable by snort and it's starting to sound pretty nearly impossible that an exploit could bypass a modified kernel that wasn't willing to send packets. But a kernel is a complex beast, and so is a snort. It's easy to get close enough for any context I can imagine with software tweaks and config details, but I can't see making a guarantee that it's really 100% perfectly impossible to break across the snort box from one DMZ to another without external help. Taps are simple, and that's why they can achieve a higher level of trust. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort with three interfaces attached to diferent network segment artiman (Jun 18)
- RE: Snort with three interfaces attached to diferent network segment Mike Feetham (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Erek Adams (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Bennett Todd (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Craig Paterson (Jun 18)