Blog | G5 Cyber Security

Snort Dual NIC: Firewall Bypass Risk

G5 Cyber Security

TL;DR

A Snort machine with two network interface cards (NICs) can create a security risk if not configured correctly. It’s possible for traffic to bypass your firewall, especially if one NIC is connected directly to an untrusted network without proper monitoring and rules.

Understanding the Risk

Your firewall acts as a gatekeeper, inspecting all incoming and outgoing traffic. A Snort machine typically sits behind the firewall, analysing traffic that has already been permitted through it. However, if you connect a second NIC directly to an untrusted network (e.g., a DMZ or another network segment without a firewall), this bypasses your primary security layer.

How Traffic Can Bypass

  1. Direct Connection: If the second NIC is connected to an untrusted network, traffic can enter your internal network directly through that interface, avoiding the firewall’s inspection.
  2. Routing Issues: Incorrect routing configurations on the Snort machine or other network devices could unintentionally direct traffic through the second NIC instead of the firewall.
  3. Promiscuous Mode & Bridging: If the second NIC is in promiscuous mode and/or configured as part of a bridge, it can capture all traffic on that segment, potentially including malicious packets before they reach the firewall.

Steps to Mitigate the Risk

  1. Avoid Direct Untrusted Connections: The simplest solution is generally not to connect a second NIC directly to an untrusted network without another layer of security (e.g., another firewall or intrusion prevention system).
  2. Configure Snort to Monitor Both Interfaces: If you must use two NICs, ensure Snort actively monitors both interfaces for malicious activity.
    • Edit your snort.conf file and add the interface names under the appropriate configuration sections (e.g., home network and DMZ).
    interface eth0 # Your trusted interface
interface eth1 # Your untrusted interface
  3. Implement Strict Rules: Create comprehensive Snort rules to detect and block malicious traffic on both interfaces. Don’t assume that because traffic is coming through the firewall, it’s safe.
    • Use updated rule sets from trusted sources (e.g., Emerging Threats, Snort VRT).
    • Develop custom rules to address specific threats relevant to your environment.
  4. Verify Routing Tables: Check the routing tables on the Snort machine and any other relevant network devices to ensure traffic is being routed correctly through the firewall. 
    route -n # Linux/Unix
ipconfig /all # Windows
  5. Disable Promiscuous Mode (If Not Needed): If you don’t require promiscuous mode on either NIC, disable it to prevent the capture of unnecessary traffic. 
    ifconfig eth1 promisc off # Linux/Unix - example
  6. Avoid Bridging Without Security: Do not bridge the second NIC directly to an untrusted network without a firewall or other security measures in place.
  7. Regularly Review Logs: Monitor Snort logs for any suspicious activity on both interfaces.
    • Use a log management system (e.g., ELK Stack, Splunk) to centralize and analyze your logs.

Important Considerations

Using a dual NIC Snort machine requires careful planning and configuration. If you’re unsure about any of these steps, consult with a cyber security professional.

Exit mobile version