RE: Centralized DB Server??

["Chapman, Justin T" <JtChapma () mail bhi-erc com>]

My department has recently been brainstorming this same issue & we came up
with what I think is an interesting solution.  Our topology is pretty
simple, we have a perimeter network and a "trusted" DMZ.  We, too didn't
like the idea of having MySQL traffic passing through the perimeter network.
So, our idea was to have a dual-homed machine with one leg outside and one
leg inside... with one catch.  The cable on the external interface (the one
that snort is listening on) has the transmit pairs cut.  It's physically
impossible for that interface to transmit any data.  It can listen all day
long, it just won't respond to *anything*.  This makes the computer
completely invisible to the outside world and all attempts to map it, ping
it or otherwise communicate with it fail.  We're still able to log to our
MySQL database on the inside via the DMZ connection, too.  


--Justin

> -----Original Message-----
> From: Marc Thompson [mailto:Marc.Thompson () bops com]
> Sent: Tuesday, June 12, 2001 5:58 PM
> To: 'Andreas Lindenblatt'; 'Kris Quinby'
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Centralized DB Server??
>
>
> Andreas,
>
> > But I would feel uhm... uncomforatable with an open MySQL-Port to a
> > machine sitting inside our network and collecting lots of 'foreign',
> > unchecked and unencrypted sensor data.
>
> What about an IDS box that has two network interfaces:  One non-IP 
> Ethernet adapter on the DMZ and one IP-assigned Ethernet Adapter
> on the local net.  
>
> I forgot to mention that I am assuming that I am *not* transferring 
> alerts across the Internet.  The sites have redundant VPN 
> connectivity,
> to the sites are also connected via leased-lines on a private net.
>
> Does this mitigate the risk or am I misunderstanding your point?
>
> Thanks,
> Marc
>
> *******************************************
> Marc Thompson
> IT Site Manager
> BOPS, Inc.
> 7800 Shoal Creek Blvd. Suite 200N
> Austin, TX 78757
>
>
> -----Original Message-----
> From: Andreas Lindenblatt [mailto:azrael () solution de]
> Sent: Tuesday, June 12, 2001 6:20 PM
> To: Marc Thompson; 'Kris Quinby'
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Centralized DB Server??
>
>
> Hi Marc,
>
> > geographical locations.  I've been brainstorming this a 
> bit, and it seems
> > that I should be able to easily ignore alerts that are 
> being generated by
> > traffic to the MySQL TCP port.  Does this sound like the answer?
> It surely is an answer to your initial question :).
>
> But I would feel uhm... uncomforatable with an open MySQL-Port to a
> machine sitting inside our network and collecting lots of 'foreign',
> unchecked and unencrypted sensor data.
>
> Even if it means we don't get 'real-time' data, we fell back 
> to packing
> and scrambling logs at the snort-boxes and fetching them with scp. 
>
> Hmmm... what happened to SnortNet? It looked good with snort 1.6 :)
>
> -- 
> ----
> BYE Andreas
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users