[Snort-users] firewalling snort machine
snortlst at ...125...
Fri Feb 22 10:22:16 EST 2002
Well, I'lready started with 2 NICs...just one more question - If I don't use
R/O cable, then connections can't be established to ip-less nic anywayand
I'm secure, right?
(Isnt't it a bit too paranoid to use R/Ocable?)
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Salisko, Rick" <SaliskoR at ...1594...>
Cc: "'McCammon, Keith'" <Keith.McCammon at ...3497...>; "Basil Saragoza"
<snortlst at ...125...>; <snort-users at lists.sourceforge.net>
Sent: Friday, February 22, 2002 1:07 PM
Subject: RE: [Snort-users] firewalling snort machine
> On Fri, 22 Feb 2002, Salisko, Rick wrote:
> > I have tried to get around a similar problem in the past by setting the
> > default gateway of the sensor to the firewall external interface, which,
> > course, is set to deny all such packets. Each time a packet (scan or
> > otherwise) is directed to the sensor ip address, any response it sends
> > sent to the firewall, which reports it as a packet forwarding attack.
> > Other than opening the sensor to a DOS type attack, can anybody see any
> > other blatant holes in this technique ?
> *puts on his Devil's Advocate hat*
> Ok.... Lessee...
> * Depends on how your firewall responds. RST or Drop?
> * If your firewall is ever 0wned, then so is your sensor. But at that
> who cares--You're hosed.
> * Extra load on firewall. Using a R/O cable and 2 nics, you don't have
> worry about even firewalling the box.
> * Single point of failure. If the firewall goes, so does your sensor.
> that could also be a moot point.
> * You only see what the firewall passes. You don't see what's hitting
> DMZ/Outside. And if you think your users can't get around your
> * Do you trust your firewall admins? (Many companies they aren't the
> the IDS folks.)
> Again, those the reasons that I would be paranoid about it. But then
> YOU are out to get me aren't you? ;-)
> Erek Adams
More information about the Snort-users