Snort mailing list archives
RE: firewalling snort machine
From: "Salisko, Rick" <SaliskoR () ottawapolice ca>
Date: Mon, 25 Feb 2002 08:22:08 -0500
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Friday, February 22, 2002 1:08 PM To: Salisko, Rick Cc: 'McCammon, Keith'; Basil Saragoza; snort-users () lists sourceforge net Subject: RE: [Snort-users] firewalling snort machine On Fri, 22 Feb 2002, Salisko, Rick wrote:
I have tried to get around a similar problem in the past by setting the default gateway of the sensor to the firewall external interface, which, of course, is set to deny all such packets. Each time a packet (scan or otherwise) is directed to the sensor ip address, any response it sends is sent to the firewall, which reports it as a packet forwarding attack. Other than opening the sensor to a DOS type attack, can anybody see any other blatant holes in this technique ?
*puts on his Devil's Advocate hat* Ok.... Lessee... * Depends on how your firewall responds. RST or Drop? Drop * If your firewall is ever 0wned, then so is your sensor. But at that point, who cares--You're hosed. sensor's is disposable... (no other links, so no other connections to exploit, half-an-hour to rebuild) * Extra load on firewall. Using a R/O cable and 2 nics, you don't have to worry about even firewalling the box. I get more traffic from Code Red then I get from this configuration * Single point of failure. If the firewall goes, so does your sensor. But that could also be a moot point. no, the sensor is still active - I'm not sure I see the connection.... * You only see what the firewall passes. You don't see what's hitting the DMZ/Outside. And if you think your users can't get around your firewall.... Actually, the sensor lets me see everything, because it's on the outside. I have separate sensors on DMZs.... * Do you trust your firewall admins? (Many companies they aren't the same as the IDS folks.) I also admin the firewalls............ ---- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net All good points, but I think I've considered most possibilities.... (famous last words...) Thanks for your response _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: firewalling snort machine, (continued)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- Re: firewalling snort machine Saad Kadhi (Feb 21)
- Re: firewalling snort machine Basil Saragoza (Feb 21)
- RE: firewalling snort machine McCammon, Keith (Feb 21)
- RE: firewalling snort machine Semerjian, Ohanes (Feb 21)
- RE: firewalling snort machine Salisko, Rick (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- Re: firewalling snort machine Basil Saragoza (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine McCammon, Keith (Feb 22)
- Re: firewalling snort machine Erek Adams (Feb 22)
- RE: firewalling snort machine Salisko, Rick (Feb 25)