[Snort-users] Questions: Filtering ESP & Duplicate traffic
sethsec at ...11827...
Wed Mar 25 17:13:34 EDT 2009
>Only if your EXTERNAL_NET is set to any or you do not care about
> attacks from HOME_NET to HOME_NET. Best solution is separately
> configured detection.
I definitely agree that separately configured detection is best, but
am glad to have confirmation that this is not an egregious
misconfiguration that would somehow hamper detection capabilities.
> As far as filtering out things like ESP and VPN traffic, I see no reason to inspect it
> if it's encrypted. (That's what encryption is for right? To make stuff unreadable?)
> I welcome a discussion on that issue.
This is what I was thinking, although the pitfall that Jason Haar
mentions is exactly the one i was thinking of... The "what if" at
some point in the future an ESP based vulnerability is identified. I
worry that even though the VRT team releases sigs, I am blind to the
attack until I yank those bpf filters out.
Again, like Jason, I think the benefits of filtering out ESP traffic
outweigh the risk, but it always helps to get community
confirmation/discussion on such things.
More information about the Snort-users