Snort-Machine = Security Hole?

["Davis, Scott" <Scott_Davis () troweprice com>]

I am have setup very similar environments and agree there is minimal risk.
Here is what I have:

- Snort running on linux box with 2 interfaces eth0 and eth1
- eth0 is 192.168.x.x eth1 has no ip address
- eth1 is plugged into a hub outside firewall
- eth0 is plugged into switch inside my firewall
- firewall has rule to block any outbound traffic from IP address
192.168.x.x (eth0)
 
In this case, if any attacker sent a buffer overflow to my network, the
snort box would pick it up. Even if the attack caused the snort box to open
a connection back to the attackers machine over eth0, the firewall would
block the request. The worst case would be the compromised snort box *could*
attack one of the boxes inside my network.  But because I am a good security
practitioner, I have a separate snort box running on my internal network,
all my boxes are patched against the latest attacks and host based IDS is
running on those boxes.  

Good security is layers, if any of my tools, router, firewall, IDS, are
compromised there should be other tools that protect the infrastructure.
Just my .02 !

All opinions welcome.

Thanks, 
Scott Davis
Internet Security Specialist


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users