[Snort-users] Snort and ipchains
mkettler at ...4108...
Tue Jan 7 10:06:56 EST 2003
I noticed this one went unanswered on the list.. so..
Snort is not intended to be a firewall, it is intended to be an intrusion
There are several tools, such as hogwash, snort-inline, and snortsam that
are intended to allow snort alerts to dynamically re-configure your
Personally, I'm a strong proponent of the "have a properly laid out
firewall and properly patched servers in the first place. Don't rely on
your IDS to try to secure your network, use it for forensics and to
recognize what areas of your network are being probed the most frequently
and thus need the closest attention" type approach. I also like to keep my
snort box heavily isolated from other systems so I can trust the data on
it, even if the firewall or servers in the DMZ are breached. But others
like the idea of extending snort to auto-configure their firewalls.
The major drawbacks I see to integrating snort into your firewall are:
-it may create a strong false sense of security, and encourage
not paying careful attention to firewall configuration.
-your firewall is now only as secure as your snort box, and many
are not capable of securing a general purpose unix system well enough to
make it secure enough to use as a firewall component. Judge your abilities
carefully here and be paranoid about locking it down.
At 12:23 PM 1/3/2003 -0800, "Kevin Brown" wrote:
>so for most security, do i run ipchains/tables and snort?
>I want bad packets to be stopped before they comein the front door,
>does snort do that?
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users