RE: [Snort-users] Best Practices for external sensors
This is a discussion on RE: [Snort-users] Best Practices for external sensors within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
RE: [Snort-users] Best Practices for external sensors
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C4556F.376A8970 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Hi Brad, Best way to do it is put your monitor port on the span port of the switch on the outside (or external) segment. Then put your management port on the inside (or internal) segment of your network. Then bring up the monitor interface with no IP address and arp ignore mode (stealth mode). For example: ifconfig eth1 -arp up Next read up on IP tables and set a policy to drop all packets that come to the monitor interface. This looks weird but what happens is snort gets to inspect the packets before iptables drops them. So when snorts done the sensor doesn't care what else is in the packet. Lock down the rest of the sensor following whatever hardening policies you have. If done right the only thing that can go wrong is if someone gains access to your sensor from the inside. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: jonasb@alum.rpi.edu [mailto:jonasb@alum.rpi.edu] Sent: June 17, 2004 9:05 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] Best Practices for external sensors I currently have a Snort infrastructure set up on my internal network with several sensors managed via SnortCenter, logging to a centralized MySQL DB. I am looking to deploy a sensor on our outside network (off of a mirrored port on a switch). There are several firewalls with outside interfaces on this switch. I'm trying to get an idea of the best/most secure way to funnel alerts/logs back into the network to our centralized logging server. I thought of some type of VPN tunnel inbound, but my concern is that if the sensor were to be compromised, there would be a direct path into the network. I obviously don't want to multi-home the sensor inside/outside. Is my best bet just to open up SQL connectivity from this external sensor to the inside DB on the firewall and stream the alerts that way? If so, does anybody know of a way of any type of wrapper that would encrypt these alerts? Thanks Brad ------_=_NextPart_001_01C4556F.376A8970 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2>Hi Brad,</FONT></SPAN></DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=407460220-18062004> <FONT face=Arial color=#0000ff size=2>Best way to do it is put your monitor port on the span port of the switch on the outside (or external) segment. Then put your management port on the inside (or internal) segment of your network. Then bring up the monitor interface with no IP address and arp ignore mode (stealth mode). For example:</FONT></SPAN></DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2>ifconfig eth1 -arp up</FONT></SPAN></DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=407460220-18062004> <FONT face=Arial color=#0000ff size=2>Next read up on IP tables and set a policy to drop all packets that come to the monitor interface. This looks weird but what happens is snort gets to inspect the packets before iptables drops them. So when snorts done the sensor doesn't care what else is in the packet.</FONT></SPAN></DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=407460220-18062004> <FONT face=Arial color=#0000ff size=2>Lock down the rest of the sensor following whatever hardening policies you have. If done right the only thing that can go wrong is if someone gains access to your sensor from the inside.</FONT></SPAN></DIV> <DIV><SPAN class=407460220-18062004><FONT face=Arial color=#0000ff size=2> <DIV class=Section1> <P><SPAN style="FONT-SIZE: 10pt">Shawn Truax<BR>Security Specialist<BR>Corporate Security<BR>155 University Ave.<BR>Toronto, Ontario<BR>M5H 3B7<BR>(416)327-1107</SPAN></P></DIV></FONT></SPAN></DIV> <BLOCKQUOTE> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> jonasb@alum.rpi.edu [mailto:jonasb@alum.rpi.edu]<BR><B>Sent:</B> June 17, 2004 9:05 AM<BR><B>To:</B> snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] Best Practices for external sensors<BR><BR></FONT></DIV>I currently have a Snort infrastructure set up on my internal network with several sensors managed via SnortCenter, logging to a centralized MySQL DB. I am looking to deploy a sensor on our outside network (off of a mirrored port on a switch). There are several firewalls with outside interfaces on this switch. <BR><BR>I'm trying to get an idea of the best/most secure way to funnel alerts/logs back into the network to our centralized logging server. I thought of some type of VPN tunnel inbound, but my concern is that if the sensor were to be compromised, there would be a direct path into the network. I obviously don't want to multi-home the sensor inside/outside. Is my best bet just to open up SQL connectivity from this external sensor to the inside DB on the firewall and stream the alerts that way? If so, does anybody know of a way of any type of wrapper that would encrypt these alerts?<BR><BR>Thanks<BR>Brad </BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C4556F.376A8970-- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
