Snort mailing list archives
Re: Snort with three interfaces attached to diferent network segment
From: Craig Paterson <craigp () tippett com>
Date: 18 Jun 2003 13:38:57 -0700
On Wed, 2003-06-18 at 11:02, artiman () cable net co wrote:
Hi Folks, I have the following question, I just have one machine to monitor the activity on three diferent network segments (Redhat 9), so I plan to to install 3 NIC on the snort machine, setup the interfaces on promiscous mode without IP information and start to listen each segment, I'm kinda worried for the security implications because I'm creating a physcial path between the Internet, DMZ and MZ zones, so in theory there is a small probablity of bypass the Firewall using the snort machine. Can somebody explain what is the risk that I'm facing using this architecture, How can I make sure 100% that the Linux will not route packet between different segments, In wich ways a Hacker can exploit my network ???
If you create a path between networks that depends for security on the IDS machine not being subverted then yes, there are implications. One way of minimizing the risk is to use Taps on the connections on the Internet and DMZ sensors, so (physically) nothing can be transmitted. Also, set up your firewall so the Snort sensor on your LAN isn't allowed to send or receive traffic to the Internet, so even if it is compromised through a "sensor" attack (i.e. Snort being cracked open by scanning some specially-formed packet) it can't open a connection back to the attacker or provide the attacker an entry point to your network. Craig. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with three interfaces attached to diferent network segment artiman (Jun 18)
- RE: Snort with three interfaces attached to diferent network segment Mike Feetham (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Erek Adams (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Bennett Todd (Jun 18)
- Re: Snort with three interfaces attached to diferent network segment Craig Paterson (Jun 18)