Packet Motel (was: brut force attack not detected)

[Kiira Triea <kiira-t () mail bsasinc org>]

Matthew Francis wrote: 

> I've heard of this configuration a lot, but isnt it a security risk having
> one nic connected to the DMZ and another connected to the internal LAN?  If
> someone were to comprimise this system in the DMZ they would have access to
> your LAN without having to 'break' the firewall(s).  I understand that you
> can harden the Snort box but its still another way in.

It would be a bad thing if that nic had an IP on it. In Linux you can 
ifconfig an interface as "up" simply, no IP and it will then not be 
visable. There was some discussion that this could be a security hole 
as well though, though it seems an "acceptable" risk right now. 

I have made eth1 a read only interface by using a PCI NIC which has
AUI port... get an AUI cable - a good one with metal shell which 
comes apart - and remove Tx pins 3 and 10. Then snort can snarf but 
can not  be anti-sniffed or snafu'ed. 

Hmmm... I saw a cute little appliance size (7cmx25cmx29cm) box (cheap
too, $250) with integrated all on MB, that would take 1 gig flipchip
and an extra pci riser slot for a nic. Someone should sell these with the
one way interface in it configured as a sensor and various
configurations of sensors and IDS control console.  Call it the
"Snort-O-Matic 9000 - where packets check in but they don't check
out!" Well, maybe not.

Kiira 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users