[Snort-users] Still Help Needed: i want to make a firewall

Michael Steele michaels at ...155...
Wed Apr 16 20:20:24 EDT 2003


Snort is an IDS (Intrusion Detection System), not an IPS (Intrusion
Prevention System). It's had to make some people understand that.

As far as a firewall; there is a bunch of choices out there.

1. Configure an Open BSD box...
2. Hardware firewall (Cisco, etc...)
3. If they are running Windows XP, XP has a built in Firewall, and IPSec.
4. ISA Server
5. Zone Alarm
6. Black Ice

I'm sure there are a lot more options. It just all depends on how much money
they want to spend.

On NT4 Server/2000/XP/2003 Server they can run the IDS in promiscuous mode,
and stick it anywhere as long as they are accessing the console from
localhost; the IDS is completely transparent. This can also be done on any
*nix IDS. If they need remote access to the Windows desktop, install another
NIC, install an SSH server, and then use port forwarding to the remote
desktop, or to Terminal Services. As far as I know it only requires one port
to be opened.


 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Wednesday, April 16, 2003 6:33 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Still Help Needed: i want to make a firewall

At 05:28 PM 4/16/2003 -0700, Michael Steele wrote:
>Bottom line is to use what you're comfortable with. Snort CAN be installed
>securely on either platform (Windows or *nix).

Agreed whole heartedly. Although properly securing a windows box is just as 
complex a problem as properly securing a unix server, it's not impossible. 
The only degree to which it is worse is the absolutely horrid history of 
exploits to IIS (not that Apache is any better).

I certainly would question the wisdom of running snort on a NT box that 
sits outside your firewall and runs IIS on the external interface. But I'd 
also question the wisdom of doing the same thing with a Linux box running 
Apache, bind, ssh, or sendmail on the external interface. Anyone doing 
either of these setups is just _asking_ to be exploited in the worst 
possible way.

Although all of this this OS difference banter still doesn't address his 
original problem, which was needing a firewall. Snort just isn't a 
replacement for one, no matter what platform you run it on.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list