LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-07-2003, 09:28 PM   #1
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Stealth Firewall, IDS, and syslog server?


Would it be possible to setup a inline firewall, inline IDS (snort), and a stealth syslog server all on one box? I've read how to create a steath syslog server by having snort capture traffic destined to a unused IP and having it passed to the syslog daemon, but could you do that and have snort running in IDS mode? Having a box acting as a firewall, IDS, and syslog server all completely undectectable since it doesn't have a IP would be very very cool
 
Old 11-07-2003, 11:28 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You could configure a snort signature to just listen for traffic to a specific IP on the syslogd port, so yes you could easily do all that on one box and still have fully functional snort.
 
Old 11-08-2003, 01:43 AM   #3
MrH0TT
LQ Newbie
 
Registered: Mar 2003
Location: US
Distribution: Slack 9.1
Posts: 16

Rep: Reputation: 0
Forgive me for asking this....but,

What exactly is the purpose of this box? I'm fairly new to linux, but this sounds cool. What is it used for?
 
Old 11-08-2003, 02:36 AM   #4
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Original Poster
Rep: Reputation: 86
Quote:
Originally posted by chort
You could configure a snort signature to just listen for traffic to a specific IP on the syslogd port, so yes you could easily do all that on one box and still have fully functional snort.
Thanks, it should be interesting seting that up.

Unfortunately i just found out that you can't use NAT with a stealth, transparent, inline, bridging, layer-2 firewall (i think EIA/TIA needs to standardize a name for this). You can use NAT with it but you would have to have a public IP address which would defeat its purpose. Anyone know why you can't keep it stealthy and use NAT?
 
Old 11-08-2003, 02:45 AM   #5
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Original Poster
Rep: Reputation: 86
Quote:
Originally posted by MrH0TT
Forgive me for asking this....but,

What exactly is the purpose of this box? I'm fairly new to linux, but this sounds cool. What is it used for?

It would act as both a Intrusion Detection System, and a syslog server where all the PC's on your network could send their logs too. Since this box wouldn't have an IP address it wouldn't be impossible to hack remotely. I believe the worest thing it could be vulnerable to is the crashing of snort if a new vulnerability is discovered. I'm pretty sure a vulnerability like that has been discovered and patched a while ago but by keeping snort updated it shouldn't be a problem...

Apparently you can't have a transparent firewall if your going to be using NAT. I'm assuming that is the reason why transparent firewalls aren't as popular as i thought they should of been... Its pretty disapointing, this had a lot of potential. If anyone knows of a way to have a transparent firewall with NAT please let me know.

Last edited by OlRoy; 11-08-2003 at 02:47 AM.
 
Old 11-08-2003, 03:17 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
How can you use NAT with what is essentially a layer-2 device? It's operating at the link-layer, not at the network layer. NAT uses IPs, which is layer-3 (network). As mentioned, you would need at least one IP to NAT the internal net to outside, and of course that would defeat the purpose of being a bridging firewall.
 
Old 11-08-2003, 11:50 AM   #7
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Original Poster
Rep: Reputation: 86
Quote:
Originally posted by chort
How can you use NAT with what is essentially a layer-2 device? It's operating at the link-layer, not at the network layer. NAT uses IPs, which is layer-3 (network). As mentioned, you would need at least one IP to NAT the internal net to outside, and of course that would defeat the purpose of being a bridging firewall.

Ahhhh so you can have a NAT'd network, you just can't run NAT on the same box as the transparent firewall?

It seems like every site i've been to that talks about transparent firwealls mentions that you can't use NAT with it. If you just can't have NAT on the firewall then thats not a big deal at all...

I don't understand why transparent firewalls aren't more popular. I would think a firewall that can't be hacked would become standard pretty quickly. Instead the most popular way now to make your firewall hackproof seems to be to use a bootable CD, but that can still be hacked... it would be fixed as soon as you reboot, but by then it would probably be to late...

Last edited by OlRoy; 11-08-2003 at 12:18 PM.
 
Old 11-08-2003, 03:32 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well theoretically it can still get cracked. Someone already mentioned taking advantage of Snort, or possibly tcpdump or Ethereal if you're running either of those to check traffic. Also, although it doesn't have an IP it does have hwaddrs, so someone particularly clever can still attack you using your MAC addr. After all, there has to be some way of getting traffic to it to inspect (for the packet filter) so there is also a vector for malicious traffic as well.

In any case, I suspect the main reasons are as follows: a) it requires roughly double the hardware (probably will need one NAT device per firewall), b) it's more complicated, network administrators don't like complications c) most firewall compromises are because of bad rules, not insecure platforms; in fact most of the time it's not the firewall that got compromised at all, someone just found a way through it to their end target.
 
Old 11-08-2003, 04:10 PM   #9
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Original Poster
Rep: Reputation: 86
Good points, thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall & IDS GUI alerts on KDE: I want them! AvatarofVirgo Linux - Security 2 02-22-2005 07:38 PM
Need IDS if using IPtables/Firewall?? schteelhead Linux - Security 1 11-06-2004 12:28 PM
have hosting server need help to stealth the ports katmai90210 Linux - Security 9 02-03-2004 09:20 AM
help about IDS and firewall Babba Linux - Security 2 02-11-2003 05:35 AM
GUI Firewall/IDS netmatrix0 Linux - Security 7 12-07-2002 09:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration