Snort mailing list archives

RE: Alerts from DMZ

From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 20 Nov 2001 23:52:48 -0500

Greetings!

 External Net ----- Firewall --------- Internal Net
                       |                      |
                      [H]--(1)-- Snort --(2)--´
                       |
                      DMZ


<snip>

Well, the more you deal with security, the more paranoid you 
become.  :) IMHO, I want all the levels of protection that I 
can have.


More paranoid?!  No I'm not, and yes, they're all out to get me. =)  I
personally would take this one step further because I'm a masochist and
enjoy implementing systems which are more secure rather than usable.
Only if myself and the other security guys I work with will be touching
them that is; can't inflict too much stress on the end user. =)

External net-----Firewall---------Internal Net
                    |
                   Tap-----Snort-----Hub (Management Network)
                    |                 |
                   DMZ            Management
                                  Workstation

The above design has the benefit of having the management network
physically separate from the internal network, and the management
workstation hanging off of the management network with no physical link
to the internal network.  Hence, there's no way to access the management
interface on the Snort box without physically being at, and having
console access too, the management workstation.  This design, used in
combination with read-only sniffing cables, network taps (both the
Shomiti or NetOptics which data can't be sent _out_ of), and host based
security mechanisms (NetFilter, SSH, Tripwire, etc.) makes me feel
pretty sure that the sensor is secured from network based access other
than that from the management network.  Now all you have to do is setup
bear traps around the management workstation. =)

This design also has the added bonus of being able to work well in
environments with multiple sensors.  With every sensor you implement,
simply plug the management interface into the management network.  For
instance:

External net-----Firewall------------Tap-----Internal Net
                    |                 |
                    |               Snort
                    |                 |
                   Tap-----Snort-----Hub (Management Network)
                    |                 |
                   DMZ            Management
                                  Workstation

Presto, you have yourself a single point (the management workstation)
for secure management access (over the physically separate management
network) to all of your sensors.  This example does not take physical
limitations into consideration.  These, however, can be overcome with a
whole lotta money and a bunch of strands of fiber. =D

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerts from DMZ Petriz, Pablo (Nov 20)
- Re: Alerts from DMZ Erek Adams (Nov 20)
- <Possible follow-ups>
- RE: Alerts from DMZ Petriz, Pablo (Nov 20)
  - RE: Alerts from DMZ Erek Adams (Nov 20)
    - RE: Alerts from DMZ Abe L. Getchell (Nov 20)