[Snort-users] firewalling snort machine
SaliskoR at ...1594...
Mon Feb 25 05:24:04 EST 2002
From: Erek Adams [mailto:erek at ...577...]
Sent: Friday, February 22, 2002 1:08 PM
To: Salisko, Rick
Cc: 'McCammon, Keith'; Basil Saragoza; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] firewalling snort machine
On Fri, 22 Feb 2002, Salisko, Rick wrote:
> I have tried to get around a similar problem in the past by setting the
> default gateway of the sensor to the firewall external interface, which, of
> course, is set to deny all such packets. Each time a packet (scan or
> otherwise) is directed to the sensor ip address, any response it sends is
> sent to the firewall, which reports it as a packet forwarding attack.
> Other than opening the sensor to a DOS type attack, can anybody see any
> other blatant holes in this technique ?
*puts on his Devil's Advocate hat*
* Depends on how your firewall responds. RST or Drop?
* If your firewall is ever 0wned, then so is your sensor. But at that point,
who cares--You're hosed.
sensor's is disposable... (no other links, so no other connections to exploit, half-an-hour to rebuild)
* Extra load on firewall. Using a R/O cable and 2 nics, you don't have to
worry about even firewalling the box.
I get more traffic from Code Red then I get from this configuration
* Single point of failure. If the firewall goes, so does your sensor. But
that could also be a moot point.
no, the sensor is still active - I'm not sure I see the connection....
* You only see what the firewall passes. You don't see what's hitting the
DMZ/Outside. And if you think your users can't get around your firewall....
Actually, the sensor lets me see everything, because it's on the outside. I have separate sensors on DMZs....
* Do you trust your firewall admins? (Many companies they aren't the same as
the IDS folks.)
I also admin the firewalls............
All good points, but I think I've considered most possibilities.... (famous last words...)
Thanks for your response
More information about the Snort-users