[ previous ] [ next ] [ threads ]
 
 From:  "Adriel T. Desautels" <atd at secnetops dot com>
 To:  Ugo Bellavance <ugob at camo dash route dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: m0n0wall - Snort ;]
 Date:  Mon, 20 Jun 2005 17:00:43 -0400
Also,
    By introducing snort into the m0n0wall firewall you're introducing another
potential attack vector. If someone is able to compromise your system via a
vulnerability in snort (there have been a few good ones) then they have 
control
over all of your traffic. If they have control over your traffic, they 
also have
access to your client data (in theory) and other sensitive data.

    Have you considered checking out a soekris box for m0n0wall? Or perhaps
running snort on an internal system and just doing a port mirror? Also, if you
don't mind me asking, what sort of small business is this?


----- Message from ugob at camo dash route dot com ---------
    Date: Mon, 20 Jun 2005 15:45:33 -0400
    From: Ugo Bellavance <ugob at camo dash route dot com>
Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
Subject: [m0n0wall]  Re: m0n0wall + Snort
      To: m0n0wall at lists dot m0n0 dot ch


> Adriel T. Desautels wrote:
>> Actually,
>>    In my expereince its not a very good idea to install an IDS on a
>> firewall
>> device. Fact of the matter is an IDS device should have as much processing
>> power as you an give it to help reduce false positives and false negatives
>> (assuming heavy load and a good NIC). Increased usage of the CPU from other
>> services, such as firewalls, reduce the amount of cycles that the IDS
>> will have
>> and as such reduce its performance. Anyone else feel the same way?
>
> What you think makes sense.  However, for a small business with an idle
> firewall like mine, it might be a good idea.  Having a traffic sniffer
> that is not on the firewall increases the costs a lot.  You need a
> separate machine, a tap or a switch with a mirror port.
>
>>
>> ----- Message from don dot munyak at gmail dot com ---------
>>    Date: Mon, 20 Jun 2005 13:54:22 -0400
>>    From: Don Munyak <don dot munyak at gmail dot com>
>> Reply-To: Don Munyak <don dot munyak at gmail dot com>
>> Subject: Re: [m0n0wall] m0n0wall + Snort
>>      To: oliver dot kainz at myez dot info
>>
>>
>>> I don't want to speak for the development team, but from my time spent
>>> on this list server, the goal of m0n0wall is meant to stay lean.
>>> M0n0wall is primarily a firewall and it looks like that's how it will
>>> stay.
>>>
>>> - Don
>>>
>>> On 6/20/05, oliver dot kainz at myez dot info <oliver dot kainz at myez dot info> wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> is there an plan to implement Snort as an NIDS into the m0n0wall in
>>>> the futureve??
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> BR
>>>>
>>>> Oliver
>>>>
>>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>


----- End message from ugob at camo dash route dot com -----



Regards,
     Adriel T. Desautels
     Secure Network Operations, Inc.
     http://www.secnetops.com

----------------------------------------------------------------
Secure Network Operations - http://www.secnetops.com