[Snort-users] SHUN

Matt Kettler mkettler at ...4108...
Tue Nov 26 14:19:02 EST 2002

At 03:11 PM 11/26/2002 -0600, Frank Knobbe wrote:
> >          2) since your firewall can be configured automatically, this 
> means
> > the authentication mechanism to snort is stored in your snort box. If I 
> can
> > penetrate your snort box I can now reconfigure your firewall any way I 
> want
> > to suit my needs. This effectively widens your security risks unless 
> you're
> > positive the snort box cannot access the internet.
>A valid point. But it is addresses when IDS sensors are configured to
>operate in stealth mode, by using taps, ro-cables, IP less interfaces.

Agreed, those tactics are both part of "unless you're positive the snort 
box cannot access the internet".

Note that this also means the snort box needs to have NO interfaces which 
access the internet, not just the sniffing one. Bear in mind things like 
DNS query attacks against the resolver libraries and other client type attacks.

Since controlling the snort box effectively gives an attacker full control 
of your firewall absolute security paranoia is a must. That means both no 
untrusted client connections as well as no untrusted server connections. No 
automated download of packages, snort rules, etc. No connecting to 
untrusted mailservers even to just deliver outbound mail, no connecting to 
untrusted DNS servers, no connecting to web sites, etc.

You really don't want your snort box to be the weakest link, and if your 
firewall is worth the money you spent on it, you can be sure that you'll 
have to work hard to make your snort box as hard to break as the firewall 
itself is.

More information about the Snort-users mailing list