[Snort-users] firewalling snort machine

Erek Adams erek at ...577...
Thu Feb 21 12:56:04 EST 2002


On Thu, 21 Feb 2002, Basil Saragoza wrote:

> I have a snort machine exposed to the internet (connected to our internet
> switch, it monitors traffic coing to the firewall public nic). Is it safe to
> install firewall on snort machine and disable ALL incoming traffic to snort
> machin from the internet? Will it affect snort functionality? (My guess
> would be it won't cause snort sniffs packets fro the switch and it is not
> dependent on internet connectivity, but I just want to make sure that mu
> guess is correct) thx.

As others have said, use 2 nics.  The other emails are pretty clear on how/why
to do that, so I won't rehash that.

BUT--Just to be overly paranoid, use a R/O cable on the connection that
doesn't have an IP.  Just because there isn't a way to exploit it that is
currently known, does _not_ mean there isn't one.  Consider this:  Standard
OSI model has 7 layers.  IP is Layer 3, physical is Layer 1.  If you stop them
at Layer 1, there's even less risk than ever.

But--Some switches and hubs don't do so well with R/O cables.  One method that
seems to work fairly well is this one:

http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm

YMMV!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list