mkettler at ...4108...
Tue Nov 26 14:19:02 EST 2002
At 03:11 PM 11/26/2002 -0600, Frank Knobbe wrote:
> > 2) since your firewall can be configured automatically, this
> > the authentication mechanism to snort is stored in your snort box. If I
> > penetrate your snort box I can now reconfigure your firewall any way I
> > to suit my needs. This effectively widens your security risks unless
> > positive the snort box cannot access the internet.
>A valid point. But it is addresses when IDS sensors are configured to
>operate in stealth mode, by using taps, ro-cables, IP less interfaces.
Agreed, those tactics are both part of "unless you're positive the snort
box cannot access the internet".
Note that this also means the snort box needs to have NO interfaces which
access the internet, not just the sniffing one. Bear in mind things like
DNS query attacks against the resolver libraries and other client type attacks.
Since controlling the snort box effectively gives an attacker full control
of your firewall absolute security paranoia is a must. That means both no
untrusted client connections as well as no untrusted server connections. No
automated download of packages, snort rules, etc. No connecting to
untrusted mailservers even to just deliver outbound mail, no connecting to
untrusted DNS servers, no connecting to web sites, etc.
You really don't want your snort box to be the weakest link, and if your
firewall is worth the money you spent on it, you can be sure that you'll
have to work hard to make your snort box as hard to break as the firewall
More information about the Snort-users