Re: Cisco PIX firwalls..

[Erek Adams <erek () theadamsfamily net>]

On 12 Apr 2002, Austin Gonyou wrote:

> Is it possible to have snort login to the firewall and block IPs, etc,
> in the event of an error? We're thinking of using the Cisco IDS
> management software for that, and a few other reasons. TIA

Ok, This is _NOT_ to start a Holy War....  This is only to warn folks who
might be considering this....

<flailing robot arms>

      DANGER!  DANGER!  DANGER WILL ROBINSON!  [0]

</flailing robot arms>

Ok, now that that's out of the way....  :)  This is a good and a _very_ bad
idea at the same time.  If you are going to trust your IDS to manage your
routers for you, well...  You better be damned sure about you'll never have
any false positives, and that everything can be 'undone' quickly if the need
arises.  If you're not careful, some Evil Bastard(tm) might spoof attacks from
your upstream ISP's router.  Or might spoof something from your own internal
setup.  Or might....  The list could go on and on.  You need to be aware that
this potential for abuse _DOES_ exist and you _must_ take it into account when
designing a setup like this.

Since everyone is out to get me, and I'm not paranoid, I don't trust my
sensors to do any more than _sense_.  I trust a human examining the traces and
then making the decision.  Yes, Yes...  I know sometimes I'm better off
getting a goldfish to make the choice, but I have _some_ tiny faith in
humanity.  :)

Hope this gives you something to consider!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]  http://www.scifi.com/lostnspace/


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users