[Snort-users] IDS monitoring unbound NIC on firewalled box

Bill Pennington billp at ...60...
Sat Jul 29 12:23:05 EDT 2000

This is a fairly standard way to run a "protected" IDS system. 

The only problem is that it violates the common single choke point
design. If someone compromises your dual homed IDS box then they can
bypass your firewall completely.

Having said that if someone compromises your IDS I think it is game over
at that point :-). I have run this setup at many clients and I feel
better about it than leaving an exposed host out in the open, but thats
just me :-)

Jerry Shenk wrote:
> We've recently been experimenting with the idea of putting a 2nd NIC in a
> linux box that's behind the firewall.  If we don't bind and IP address to
> this NIC but still run the IDS on it, we can collect all the traffic on the
> outside of the firewall without the security problems associated with a
> public sentry.  I don't see any problems with doing this, does anybody else?
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users


Bill Pennington
Senior IT Manager
billp at ...60...

More information about the Snort-users mailing list