[Bro] bro cluster security

Dave Crawford bro at pingtrip.com
Fri Jan 30 05:25:48 PST 2015


True, but I’d argue that if an attack is sourcing from a Bro component an authorization/authentication mechanism would be the least of concerns.


> On Jan 30, 2015, at 7:33 AM, Luis Miguel Silva <luismiguelferreirasilva at gmail.com> wrote:
> 
> I guess I could, though that wouldn't protect from attacks coming from authorized hosts.
> 
> Anyway, I'm just trying to figure out what level of security is there builtin!
> 
> Thanks,
> Luis
> 
> On Fri, Jan 30, 2015 at 5:17 AM, Dave Crawford <bro at pingtrip.com <mailto:bro at pingtrip.com>> wrote:
> Can you mitigate the risk by running a local firewall (e.g. IPTables on Linux, or PF on FreeBSD) on each component with explicit rules pairing manger<->workers<->proxies on the appropriate ports?
> 
> -Dave
> 
>> On Jan 30, 2015, at 2:40 AM, Luis Miguel Silva <luismiguelferreirasilva at gmail.com <mailto:luismiguelferreirasilva at gmail.com>> wrote:
>> 
>> All,
>> 
>> As I was looking at the bro cluster documentation <https://www.bro.org/sphinx/cluster/index.html>, I noticed there wasn't any information / configuration parameters to authenticate / authorize the communication between the manager, worker and proxy components.
>> 
>> How do we protect against malicious processes from impersonating real components?
>> 
>> Thank you,
>> Luis 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150130/60bc25e4/attachment.html 


More information about the Bro mailing list