RE: firewalling snort machine

["Salisko, Rick" <SaliskoR () ottawapolice ca>]

I have tried to get around a similar problem in the past by setting the default gateway of the sensor to the firewall 
external interface, which, of course, is set to deny all such packets. Each time a packet (scan or otherwise) is 
directed to the sensor ip address, any response it sends is sent to the firewall, which reports it as a packet 
forwarding attack.  

Other than opening the sensor to a DOS type attack, can anybody see any other blatant holes in this technique ?




-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com]
Sent: Thursday, February 21, 2002 4:59 PM
To: Basil Saragoza; Erek Adams
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] firewalling snort machine


To answer your follow-up questions:

1) I would highly recommend that you rethink this.  It is generally
considered to be a VERY BAD practice to make your most critical security
systems available to the outside world.  You just don't do it.  Use an
internal interface for management.  Your sensor should never be visible,
in any fashion, to the outside world.  It should see without being seen.

2) You could, and it would not affect Snort's operation.  However, I
recommend that you read item 1.

Cheers

Keith


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users