Snort mailing list archives

Re: SHUN

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 26 Nov 2002 17:20:54 -0500



At 03:11 PM 11/26/2002 -0600, Frank Knobbe wrote:

> 2) since your firewall can be configured automatically, thismeans> the authentication mechanism to snort is stored in your snort box. If Ican> penetrate your snort box I can now reconfigure your firewall any way Iwant> to suit my needs. This effectively widens your security risks unlessyou're
> positive the snort box cannot access the internet.

A valid point. But it is addresses when IDS sensors are configured to
operate in stealth mode, by using taps, ro-cables, IP less interfaces.

Agreed, those tactics are both part of "unless you're positive the snortbox cannot access the internet".

Note that this also means the snort box needs to have NO interfaces whichaccess the internet, not just the sniffing one. Bear in mind things likeDNS query attacks against the resolver libraries and other client type attacks.

Since controlling the snort box effectively gives an attacker full controlof your firewall absolute security paranoia is a must. That means both nountrusted client connections as well as no untrusted server connections. Noautomated download of packages, snort rules, etc. No connecting tountrusted mailservers even to just deliver outbound mail, no connecting tountrusted DNS servers, no connecting to web sites, etc.

You really don't want your snort box to be the weakest link, and if yourfirewall is worth the money you spent on it, you can be sure that you'llhave to work hard to make your snort box as hard to break as the firewallitself is.






-------------------------------------------------------

This SF.net email is sponsored by: Get the new Palm Tungsten Thandheld. Power & Color in a compact size!http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerting and Reporting tools Scott, Joshua (Nov 25)
- Re: Alerting and Reporting tools Scott Nursten (Nov 26)
  - SHUN Mike Koponick (Nov 26)
    - Re: SHUN Alberto Gonzalez (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)

(Thread continues...)