[Snort-users] Snort and ipchains
mkettler at ...4108...
Wed Jan 8 08:36:07 EST 2003
At 03:17 PM 1/7/2003 -0600, you wrote:
>I, for one, am on the 'every little bit helps' list. Any device may
>fail/be exploited/be misconfigured. Its all about layers. If I'm going
>to have snort alert, why not have it interfere also? Obviously I plan on
>thinking worst case and configure all devices accordingly (so they might
>last ten seconds if there were no firewall at all), but for the price why
>not try and leverage snort also?
Actually, your reasoning is exactly why I oppose letting snort modify the
firewall... "any device may fail/be exploited/be misconfigured" includes my
snort box. I favor isolating the failure of the two systems (the snort box
and the firewall box) so that a failure or exploit of one does not imply
failure of both. auto-configuring a firewall from a snort box means that
should the snort box be exploited, it's game-over for your firewall, since
the snort box has the power to reconfigure the firewall and the attacker
can now just re-do it as a "wide-open".
It's all about layers... isolated layers that fail independently and not in
giant cascades, but that's really a matter of different security philosophies.
There's also an argument that "if you know about an attack and can detect
it, you should already be immune" but I tend not to favor that argument
against auto-firewall-snort setups. Let's face it, most attackers tend to
use a variety of attacks and may start off with some common old attacks
before trying fancy stuff. Blocking them off as soon as they try anything
is worthwhile in protecting you against the "fancy stuff".
I guess the "best" case is to have a fixed-config firewall out front, with
an inline-snort box behind it doing dynamic blocking on a second firewall.
This way the firewall on the snort box is only an "extra" layer that is not
a single-point-of-failure for your networks firewall. I can definitely see
the "every bit helps" argument if you have the resources to set up a
I'd certainly make sure there's some very careful consideration of what
happens to your network if the snort box is hacked, and make sure it
remains secure even if that box is exploited. I prefer to be able to prove
that hacking it is impossible or worthless (ie: if the snort box cannot
send data to any network because it's only connected by a one-way-tap,
exploiting it is most likely impossible, the best you could likely do is a
DoS of some form that only affects the snort box.)
More information about the Snort-users