[Snort-users] Snort with three interfaces attached to diferent network segment

Craig Paterson craigp at ...9278...
Wed Jun 18 13:42:14 EDT 2003


On Wed, 2003-06-18 at 11:02, artiman at ...9501... wrote:

> Hi Folks, I have the following question, I just have one machine to 
> monitor the activity on three diferent network segments (Redhat 9), so 
> I plan to to install 3 NIC on the snort machine, setup the interfaces 
> on promiscous mode without IP information and start to listen each 
> segment, I'm kinda worried for the security implications because I'm 
> creating a physcial path between the Internet, DMZ and MZ zones, so 
> in  theory there is a small probablity of bypass the Firewall using 
> the snort machine.
> Can somebody explain what is the risk that I'm facing using this 
> architecture, How can I make sure 100% that the Linux will not route 
> packet between different segments, In wich ways a Hacker can exploit 
> my network ???

If you create a path between networks that depends for security on the
IDS machine not being subverted then yes, there are implications. One
way of minimizing the risk is to use Taps on the connections on the
Internet and DMZ sensors, so (physically) nothing can be transmitted.
Also, set up your firewall so the Snort sensor on your LAN isn't allowed
to send or receive traffic to the Internet, so even if it is compromised
through a "sensor" attack (i.e. Snort being cracked open by scanning
some specially-formed packet) it can't open a connection back to the
attacker or provide the attacker an entry point to your network.

Craig.





More information about the Snort-users mailing list