|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: by way of L. Taylor Banks (dr.kaos
kaos.to)Date: Tue Jan 15 2002 - 23:12:57 CST
On Saturday 12 January 2002 12:46 am, Steve A. Tindle III wrote:
> SmoothWall.org has a really great linux Firewall/router/IDS that supports
> up to three interfaces (RED outside, GREEN internal network, ORANGE DMZ).
> We've been using it for a few months now and it works great. Its a complete
> system, but the download is only 20mb for the ISO. Works on a P133 with
> 32mb ram with a good amount of speed. It also logs port scans and some
> trojan activity. Go to http://www.smoothwall.org for more info.
Several problems with Smoothwall, tho:
1> Unless you shell out bucks for the "professional" (commercial) version of
the firewall, you are limited to one external IP and port forwarding via that
IP. This severely limits one's ability to maintain multiple servers providing
the same service without putting standard services on non-standard ports
(i.e. having to tell people to go to http://someurl.com:86/)
2> Again, unless you but the commercial version you are not able to
administer policy for outbound traffic via the admin GUI, which should be a
concern for any administrator, regardless of trust in internal users (should
an attacker compromise an internal host, policies need to be in place to
prevent outbound attacks from your own network).
3> Although Snort is implemented on the GPL version, there are no
administrative facilities to add/modify/remove existing rules, nor are there
tools for customization of IDS policy (i.e. to prevent false positive port
scans from upstream DNS servers you have to manually modify the Snort config
files, which defeats the point of having a GUI-administered facility in the
first place).
4> Smoothwall does not allow blocking traffic based on matches against Snort
rules. Thus, the box will not use signature matching to eliminate malicious
packets, as I think Mike intends to do.
5> See the folowing URL for a recent security review of the product and
independent user feedback on the attitudes of the development team:
http://slashdot.org/article.pl?sid=02/01/09/2050237&mode=thread
Just my $.02
-- ./dr.kaos> > Hi all, > > > > I'm new to the IDS world. I understand what an IDS does, and why you > > need it, but I have some questions on the technical aspect of IDS. We > > are planning on implementing an IDS in the near future. The idea that > > has been proposed is to put the IDS in the path between connections, > > rather than connected in promiscuous mode. The reason they want to do > > this is so they can also run a blocking software, like portsentry, to > > block unwanted scans, etc. > > > > Is this even possible to do? The idea is to use a linux server running > > snort. This box would have two interfaces to route the traffic through > > it, scanning the signatures at the same time. > > > > Possible/not possible? If possible, good idea/bad idea? Opinions in > > general? > > > > Thanks in advance, > > > > Mike Hrubes
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]