On Sat, Jan 20, 2001 at 09:24:40AM -0500, John Tannahill wrote:
> - Is this deployment safe?
Actually the unbinding of protocols (if it works, but i trust realsecure
here) is a good protection against remote attacks. But since your probe
still receives all data on the net (even untargeted one, as the nature of a
probe is) you cannot asume the host is protected against remote exploits.
This does NOT inlude the TCP/IP Stack of the Operating System or vulnerable
Services on the System, since both are removed out of the way, but it does
include the IDS Software.
As we all know there are and was exploits to software like resolvers,
Loggers (syslog) AND tcpdump. Therefore I would not asume that the host is
100% secure.
The question is, if you think realsecure did real secure software or not.
You can judge by yourself. Observations like: how often do you get binary
junk in the logs, hof often does the software crash, how reliable does the
GUI work might help you with it.
You might consider to plug the probes internel pot not into the lan but only
into an interface at the management console if you are truely paranoid.
Personally I don't run a IDS in the Hot external Net. I have one in the DMZ
(snort based) which is logging pretty much all attacks snort knows about.
This is possbile since my outer router MUST filter them. You can also run a
IDS on the External net if you limit its scope to suspicious outgoing
packets. This will reduce the amount of false positives (this is true for
snort which is not as intelligent as some real IDS systems, I dont know if
that works or is needed for Realsecure).
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
