[Snort-users] firewalling snort machine

Erek Adams erek at ...577...
Fri Feb 22 10:41:04 EST 2002

On Fri, 22 Feb 2002, Basil Saragoza wrote:

> Well, I'lready started with 2 NICs...just one more question - If I don't use
> R/O cable, then connections can't be established to ip-less nic anywayand
> I'm secure, right?
> (Isnt't it a bit too paranoid to use R/Ocable?)

Paranoia is just that.  Taking things to the extreme "just in case."  For me,
the R/O cable is a 'normal' or 'standard'.  The following snippet gives most
of my reasons:

> BUT--Just to be overly paranoid, use a R/O cable on the connection that
> doesn't have an IP.  Just because there isn't a way to exploit it that is
> currently known, does _not_ mean there isn't one.  Consider this:  Standard
> OSI model has 7 layers.  IP is Layer 3, physical is Layer 1.  If you stop
> them at Layer 1, there's even less risk than ever.

Once you start to play with ARP spoofing and MITM attacks, you realize how
INSECURE the lower OSI layers are.  At layer 2 there is almost no way to
verify who sent what.  ARP is at layer 2....  I could ARP your snort box if I
was on the same wire.  Then I would know something is there with an IPless
interface.  Then I could start a ARP spoof against it once I was able to
obtain it's MAC.  Now, I get all packets that it's supposed to get/see, and
then I could pass them onto it as I see fit.

But no one would ever do something that evil now would they?  ;-)  Hey, when
you lived less than a mile from the NSA at Ft. Meade and then see "Enemy of
the State" you just become a _tiny_ bit more paranoid.  ;-)

If it's a management reason for not using the R/O cable, explain the cable
would cost about $10-$20 USD to make.  Then compare that to the value of
"Company Secrets".  I'd guess that the "Company Secrets" are worth a bit

Again, Use what _works_ for _you_!  These are my opinions, and nothing more.


Erek Adams

More information about the Snort-users mailing list