[Snort-users] Centralized DB Server??

Chapman, Justin T JtChapma at ...2279...
Thu Jun 14 11:25:11 EDT 2001


My department has recently been brainstorming this same issue & we came up
with what I think is an interesting solution.  Our topology is pretty
simple, we have a perimeter network and a "trusted" DMZ.  We, too didn't
like the idea of having MySQL traffic passing through the perimeter network.
So, our idea was to have a dual-homed machine with one leg outside and one
leg inside... with one catch.  The cable on the external interface (the one
that snort is listening on) has the transmit pairs cut.  It's physically
impossible for that interface to transmit any data.  It can listen all day
long, it just won't respond to *anything*.  This makes the computer
completely invisible to the outside world and all attempts to map it, ping
it or otherwise communicate with it fail.  We're still able to log to our
MySQL database on the inside via the DMZ connection, too.  


--Justin

> -----Original Message-----
> From: Marc Thompson [mailto:Marc.Thompson at ...2101...]
> Sent: Tuesday, June 12, 2001 5:58 PM
> To: 'Andreas Lindenblatt'; 'Kris Quinby'
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Centralized DB Server??
> 
> 
> Andreas,
> 
> >But I would feel uhm... uncomforatable with an open MySQL-Port to a
> >machine sitting inside our network and collecting lots of 'foreign',
> >unchecked and unencrypted sensor data.
> 
> What about an IDS box that has two network interfaces:  One non-IP 
> Ethernet adapter on the DMZ and one IP-assigned Ethernet Adapter
> on the local net.  
> 
> I forgot to mention that I am assuming that I am *not* transferring 
> alerts across the Internet.  The sites have redundant VPN 
> connectivity,
> to the sites are also connected via leased-lines on a private net.
> 
> Does this mitigate the risk or am I misunderstanding your point?
> 
> Thanks,
> Marc
> 
> *******************************************
> Marc Thompson
> IT Site Manager
> BOPS, Inc.
> 7800 Shoal Creek Blvd. Suite 200N
> Austin, TX 78757
> 
> 
> -----Original Message-----
> From: Andreas Lindenblatt [mailto:azrael at ...70...]
> Sent: Tuesday, June 12, 2001 6:20 PM
> To: Marc Thompson; 'Kris Quinby'
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Centralized DB Server??
> 
> 
> Hi Marc,
> 
> > geographical locations.  I've been brainstorming this a 
> bit, and it seems
> > that I should be able to easily ignore alerts that are 
> being generated by
> > traffic to the MySQL TCP port.  Does this sound like the answer?
> It surely is an answer to your initial question :).
> 
> But I would feel uhm... uncomforatable with an open MySQL-Port to a
> machine sitting inside our network and collecting lots of 'foreign',
> unchecked and unencrypted sensor data.
> 
> Even if it means we don't get 'real-time' data, we fell back 
> to packing
> and scrambling logs at the snort-boxes and fetching them with scp. 
> 
> Hmmm... what happened to SnortNet? It looked good with snort 1.6 :)
> 
> -- 
> ----
> BYE Andreas
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list