RE: RS Engine Stealth Mode

Tue, 22 Feb 2000 08:34:11 -0800 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

You have described a recommended installation.  Even though you have the
stealth NIC monitoring outside the firewall and the reporting NIC attached
inside the firewall, remember that no traffic from the DMZ is able to bypass
the firewall through the RS Network Sensor.  All the monitored DMZ traffic
is fed to the RS NE Analysis Engine and the output of the reporting NIC is
limited to analysis reports and alerts.  Also, this means that you don't
have to open another hole in the firewall.  In fact, opening the RS default
ports in the firewall could actually give a portscanning  hacker clues that
you are running a DMZ RS Network Engine.

James R Lindley
Senior Security Instructor
Internet Security Systems Inc
678-443-6323
An unquenchable thirst for Pierian water.
****************************************************************************
*******
                           ISS CONNECT 2000
  International User Group and Information Security Summit

           March 19-24, 2000                          http://connect.iss.net

                                      REGISTER TODAY!
****************************************************************************
*******-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 18, 2000 2:42 PM
To: [EMAIL PROTECTED]
Subject: RS Engine Stealth Mode



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------



I would like to put a Real Secure engine on my DMZ and am considering using
the
dual NIC stealth mode setup.  The unbound NIC would monitor the DMZ traffic
and
report back to the internal console through an addressed NIC attached to an
internal segment inside the firewall.  While this seems pretty secure, I am
still bothered by the fact that I would be opening up another pipe from the
DMZ
to the internal network completely bypassing the firewall.

I'm also considering just modifying firewall rules to pass the Real Secure
traffic between the external engine and the internal console.  This too
makes me
somewhat uncomfortable.

I would appreciate any advice on monitoring an external DMZ engine?

Thanks!

Carol Stettler
GPU Energy

Reply via email to