[Snort-users] IDS and Firewall

Shaffer, Paul D paul.d.shaffer at ...178...
Wed Apr 28 14:12:03 EDT 2004


Everyone responding to this thread seems to be preaching to the choir
with an amazing grasp of the obvious.  But nobody bothered to ask the
Kernel anything constituting a requirements definition - What is he
trying to do?  What is his environment?  What equipment does he have
available?

Have you considered the possibility that dyed-in-the-wool dogma purveyed
as gospel, may not be what he is looking for?  Maybe he wants some
advice or examples of how a multi-purpose security device might be
cobbled together and properly locked down with Linux?  Alot of vendors
are selling them these days...

v/r


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Matt
Kettler
Sent: Wednesday, April 28, 2004 9:06 AM
To: Kernel The Canine; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IDS and Firewall


At 03:34 AM 4/28/2004, Kernel The Canine wrote:
>Hello
>
>I'm running shorewall.net as my firewall, on RedHat
>linux box version 9.0
>
>Is it recommended to run on it snort (on the same box)
>or should I run it on another computer

Several user's replied citing resource problems doing this. However,
nobody 
mentioned the obvious that every firewall admin should know.

SECURITY matters.

Never run any network applications on your firewall box. No mailservers,

webservers, dns servers, and not snort either.

Why? Because if someone exploits snort (ie: the old stream4
vulnerability), 
or any other program on your firewall box, they now have control of your

firewall machine. At that point, you have no firewall at all.

You really should treat a firewall box as a firewall-only system if you 
want it protect you in the event of an attack. Severs, IDS's, etc are
best 
placed on other boxes so that an exploit of one doesn't bring the entire

security of your network down as a hacker digs your firewall apart from
the 
inside out. 



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list