[Snort-users] snort-inline vs. firewall

Matt Kettler mkettler at ...7367...
Thu Sep 11 12:53:33 EDT 2003

At 12:41 PM 9/11/2003 +0100, Always Bishan wrote:
>Now we have a IPTables firewall, would it be better to
>replace IPTables firewall with the IPs, since it is an
>intelligent and would keep my network more secure.
>Where all can I use IPS or snort-inline?

Really an IPS isn't a firewall replacement IMO, it's a supplement. The two 
serve a common goal, but an IPS is not a "super firewall". An IPS is 
inherently more prone to attack than a firewall due to it's complexity. 
Don't jump to the simple conclusion you can replace a firewall with an IPS 
and be more secure, that's simply not true.

You always want firewalling that is as reliable as possible (near 100%) for 
things you already know upfront you don't want in your network. This is 
what a firewall does, and it does so very effectively, with very little 
overhead, and very little risk of weakness if it's been properly designed 
and checked.

Personally I also adhere to the belief that your front-end firewall should 
be as secure as possible, and not subject to running processes which might 
be exploited due to bugs (ie: the stream4 bug). No web or email servers, no 
caching DNS servers for the inside network, no nothing, just a dedicated 
firewall with maybe a copy of SSH that is listening only on the inside 
interface. Based on that belief, I personally would never consider running 
snort on a front-end firewall, much less trying to use an IPS as one.

  Anyone running snort 1.9.1 as a root user with stream4 enabled on their 
front end firewall when the stream4 bug was released for all intents and 
purposes had no firewall at all. An intelligent attacker could have 
exploited the overflow in snort, gained full root access to the firewall 
box, modified the firewall to allow their traffic to pass to the inside 
network and then proceed to attack the inside network without hindrance 
from the firewall.

Now admittedly a lot of this all depends on the level of attacker you are 
defending against. Certainly the above scenario would not happen with a 
skript kidde or worm because there are no working exploits floating around 
in the wild. And on a home network skript kiddes and worms are your only 
concern. However if your site were something like a sensitive DoD network 
at the pentagon, an attacker would have already been in long before the 
vulnerability was announced with this kind of weakness (which is why any 
high-profile target would not likely ever be configured that way in the 
first place). A corporate site would be somewhere in the middle, possibly 
attracting some attention from some of the better hackers that are just out 
to joy ride, but also at some degree of risk for a competitor hiring a 
professional hacker for industrial espionage, depending on how competitive 
their market is.

Personally I like a layered approach. I think one of the best 
configurations is to use a front-end high security firewall, followed by a 
completely independent IPS. The firewall drops a lot of garbage traffic, 
saving resources and overhead on the IPS, and also continues to offer it's 
protection even if the IPS is attacked. The firewall also reduces the 
possibility of a successful attack against the IPS. The IPS in turn expands 
on the level of protection offered by the firewall, expanding it to include 
application layer string search and detection of nontrivial attacks, which 
can in turn be blocked.

>Any issues with it like speed, resources, maintenance?

Certainly there are some speed and resource issues on an IPS, and that's 
one of the reasons I have above for liking a 2 stage approach.

More information about the Snort-users mailing list