Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: firewalling snort machine

From: "Salisko, Rick" <SaliskoR () ottawapolice ca>
Date: Mon, 25 Feb 2002 08:22:08 -0500

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Friday, February 22, 2002 1:08 PM
To: Salisko, Rick
Cc: 'McCammon, Keith'; Basil Saragoza; snort-users () lists sourceforge net
Subject: RE: [Snort-users] firewalling snort machine


On Fri, 22 Feb 2002, Salisko, Rick wrote:


I have tried to get around a similar problem in the past by setting the
default gateway of the sensor to the firewall external interface, which, of
course, is set to deny all such packets. Each time a packet (scan or
otherwise) is directed to the sensor ip address, any response it sends is
sent to the firewall, which reports it as a packet forwarding attack.

Other than opening the sensor to a DOS type attack, can anybody see any
other blatant holes in this technique ?


*puts on his Devil's Advocate hat*

Ok....  Lessee...


*  Depends on how your firewall responds.  RST or Drop?

Drop

*  If your firewall is ever 0wned, then so is your sensor.  But at that point,
who cares--You're hosed.

sensor's is disposable... (no other links, so no other connections to exploit, half-an-hour to rebuild) 


*  Extra load on firewall.  Using a R/O cable and 2 nics, you don't have to
worry about even firewalling the box.

I get more traffic from Code Red then I get from this configuration


*  Single point of failure.  If the firewall goes, so does your sensor.  But
that could also be a moot point.

no, the sensor is still active - I'm not sure I see the connection....


*  You only see what the firewall passes.  You don't see what's hitting the
DMZ/Outside.  And if you think your users can't get around your firewall....

Actually, the sensor lets me see everything, because it's on the outside. I have separate sensors on DMZs....

*  Do you trust your firewall admins?  (Many companies they aren't the same as
the IDS folks.)

I also admin the firewalls............


----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


All good points, but I think I've considered most possibilities.... (famous last words...)

Thanks for your response



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: