[Snort-users] snort-inline vs. firewall
mkettler at ...7367...
Thu Sep 11 12:53:33 EDT 2003
At 12:41 PM 9/11/2003 +0100, Always Bishan wrote:
>Now we have a IPTables firewall, would it be better to
>replace IPTables firewall with the IPs, since it is an
>intelligent and would keep my network more secure.
>Where all can I use IPS or snort-inline?
Really an IPS isn't a firewall replacement IMO, it's a supplement. The two
serve a common goal, but an IPS is not a "super firewall". An IPS is
inherently more prone to attack than a firewall due to it's complexity.
Don't jump to the simple conclusion you can replace a firewall with an IPS
and be more secure, that's simply not true.
You always want firewalling that is as reliable as possible (near 100%) for
things you already know upfront you don't want in your network. This is
what a firewall does, and it does so very effectively, with very little
overhead, and very little risk of weakness if it's been properly designed
Personally I also adhere to the belief that your front-end firewall should
be as secure as possible, and not subject to running processes which might
be exploited due to bugs (ie: the stream4 bug). No web or email servers, no
caching DNS servers for the inside network, no nothing, just a dedicated
firewall with maybe a copy of SSH that is listening only on the inside
interface. Based on that belief, I personally would never consider running
snort on a front-end firewall, much less trying to use an IPS as one.
Anyone running snort 1.9.1 as a root user with stream4 enabled on their
front end firewall when the stream4 bug was released for all intents and
purposes had no firewall at all. An intelligent attacker could have
exploited the overflow in snort, gained full root access to the firewall
box, modified the firewall to allow their traffic to pass to the inside
network and then proceed to attack the inside network without hindrance
from the firewall.
Now admittedly a lot of this all depends on the level of attacker you are
defending against. Certainly the above scenario would not happen with a
skript kidde or worm because there are no working exploits floating around
in the wild. And on a home network skript kiddes and worms are your only
concern. However if your site were something like a sensitive DoD network
at the pentagon, an attacker would have already been in long before the
vulnerability was announced with this kind of weakness (which is why any
high-profile target would not likely ever be configured that way in the
first place). A corporate site would be somewhere in the middle, possibly
attracting some attention from some of the better hackers that are just out
to joy ride, but also at some degree of risk for a competitor hiring a
professional hacker for industrial espionage, depending on how competitive
their market is.
Personally I like a layered approach. I think one of the best
configurations is to use a front-end high security firewall, followed by a
completely independent IPS. The firewall drops a lot of garbage traffic,
saving resources and overhead on the IPS, and also continues to offer it's
protection even if the IPS is attacked. The firewall also reduces the
possibility of a successful attack against the IPS. The IPS in turn expands
on the level of protection offered by the firewall, expanding it to include
application layer string search and detection of nontrivial attacks, which
can in turn be blocked.
>Any issues with it like speed, resources, maintenance?
Certainly there are some speed and resource issues on an IPS, and that's
one of the reasons I have above for liking a 2 stage approach.
More information about the Snort-users