Re: Detecting Broadcast with Snort

[Frank Knobbe <fknobbe () knobbeits com>]

On Sat, 2003-02-22 at 12:03, Matt Kettler wrote:

> My general advice about such tools is they are fine, as long as you can be 
> 100% sure that you've not just created a hole where someone can hack your 
> snort box you forgot to properly secure and use that to open up your 
> firewall. A snortsam or inline snort box should not be doing things like 
> running a mailserver, nameserver and webserver which are externally 
> accessible, and I'm willing to bet more than one sysadmin fails to see how 
> foolish this is.


Matt,

in regards to SnortSam, you are absolutely correct that SnortSam itself
should be running on a secure box. But the Snort sensors themselves
don't have to be. You can run Snort on your web and/or mail servers.

Yes, someone could crack the web server, use the SnortSam password
together with their own tool and send fake blocking requests to the
SnortSam daemon on the remote box, but he can a) only add blocks, not
reconfigure or open firewalls, and b) is still subject to the
countermeasures SnortSam employs (white-list, thresholds, etc).

As long as you keep the SnortSam daemon on a secure box, you're in good
shape.

I think this can lead to the debate/discussion of separation of
services. For example, I don't like to run my name services on the same
box I run web services because I feel that if the (weaker) web server
gets compromised, I hand the attacker control over my domains. It is
much harder to break into a djbdns name server than into an Apache box.

But that discussion is probably not for snort-users :)  Anyhow, thanks
for bringing this issue up. We should always keep this in mind when
designing/deploying systems

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part