[Snort-users] firewalling snort machine

Basil Saragoza snortlst at ...125...
Fri Feb 22 10:22:16 EST 2002


Well, I'lready started with 2 NICs...just one more question - If I don't use
R/O cable, then connections can't be established to ip-less nic anywayand
I'm secure, right?
(Isnt't it a bit too paranoid to use R/Ocable?)
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Salisko, Rick" <SaliskoR at ...1594...>
Cc: "'McCammon, Keith'" <Keith.McCammon at ...3497...>; "Basil Saragoza"
<snortlst at ...125...>; <snort-users at lists.sourceforge.net>
Sent: Friday, February 22, 2002 1:07 PM
Subject: RE: [Snort-users] firewalling snort machine


> On Fri, 22 Feb 2002, Salisko, Rick wrote:
>
> > I have tried to get around a similar problem in the past by setting the
> > default gateway of the sensor to the firewall external interface, which,
of
> > course, is set to deny all such packets. Each time a packet (scan or
> > otherwise) is directed to the sensor ip address, any response it sends
is
> > sent to the firewall, which reports it as a packet forwarding attack.
> >
> > Other than opening the sensor to a DOS type attack, can anybody see any
> > other blatant holes in this technique ?
>
> *puts on his Devil's Advocate hat*
>
> Ok....  Lessee...
>
> *  Depends on how your firewall responds.  RST or Drop?
> *  If your firewall is ever 0wned, then so is your sensor.  But at that
point,
> who cares--You're hosed.
> *  Extra load on firewall.  Using a R/O cable and 2 nics, you don't have
to
> worry about even firewalling the box.
> *  Single point of failure.  If the firewall goes, so does your sensor.
But
> that could also be a moot point.
> *  You only see what the firewall passes.  You don't see what's hitting
the
> DMZ/Outside.  And if you think your users can't get around your
firewall....
> *  Do you trust your firewall admins?  (Many companies they aren't the
same as
> the IDS folks.)
>
> Again, those the reasons that I would be paranoid about it.  But then
again,
> YOU are out to get me aren't you?  ;-)
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>




More information about the Snort-users mailing list