Re: Snort as Firewall (WinXP)

["coder" <elite.coder () ntlworld com>]

Hi Neil,

I am currently doing research into this area for my university thesis. Snort
is foremost a lightweight IDS as with any IDS  you are going to get false
positives (Snort requires a lot of tuning to the network environment its
placed in). Where I work snort always gives off an "MTU denial of service"
alert when someone reads their emails, simply because the packets are larger
than the default MTU, now if I had snort running as a firewall and it
blocked these communications, no one can read their email! Likewise if a
false-positive happens over port 80, you loose your web surfing abilities!

Now, someone can correct me if I am wrong here, from what I read as snort
analyses a packet, other packets go by unchecked (in a high traffic area).
So placing snort in a high traffic area would mean a lot of packets would go
unchecked, now I think (and again correct me if I am wrong), even though
there isn't a lot of traffic going to/from your laptop, your laptop would be
focusing its processing power on your tasks. So I think you would have the
same effect again, as your laptop is loading Outlook or something, many
packets will go by unchecked.

My research is focused on writing a client-side firewall (which will be used
in a corporate environment) which can be centrally managed via a web
interface and also interfaces with one or more snort databases. Although
this is for a corporate environment I plan to use it on my own home network
if all goes to plan.

Regards,

Davie

----- Original Message ----- 
From: "Neil" <neil () voidfx net>
To: <security-basics () securityfocus com>
Sent: Sunday, January 22, 2006 2:26 AM
Subject: Snort as Firewall (WinXP)


> Has anyone here ever tried using Snort as a firewall, particularly on a
> Windows box?  I was toying around with the idea of using it as a
> firewall for my laptop (not an enterprise).
>
> From what I've read, a couple people have tried, but most people were of
> the opinion to use Snort as an IDS, and have a separate firewall.
>
> If anyone has done it, do you recommend it? Why/why not?
> For those who are against using it as a firewall, again, why?
>
> Thanks for the input.
> -- 
> Neil.
> http://voidfx.net
> "Lord, grant me the strength to accept the things I cannot change, the
> courage to try to change the things I can, and the wisdom to hide the
> bodies of the people I had to kill because they pissed me off."
> --Anonymous
>
>
> --------------------------------------------------------------------------
-
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------------------
-
>



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------