RE: Running snort on a firewall

[Saad Kadhi <bsdguy () docisland org>]

On Thu, 2001-12-20 at 20:02, Fraser Hugh wrote:
> I prefer to run an IDS on a second box, either outside or inside the
> firewall (or better still both) depending upon what you want to see.
> Philosophically speaking, I like to keep firewalls as simple as possible,
> stripping them down to the bare necessities. Practically speaking, the
> firewall is likely to be the target of attacks, and may not be able to
> notify me when necessary if, for instance, it's suffering under the load of
> a DOS attack. The IDS, ideally, uses an un-configured NIC to monitor the
> network, and is for all intents and purposes invisible, generating no
> traffic on the network being monitored, and not likely to be profiled using
> the anti-sniffer tools.
I agree with that completely. I consider running the IDS on the firewall
as the El Cheapo(tm) solution. Agreed, I have this setup on my home
network and it works fine but my firewall is kind of "boosted" with lots
of RAM & a fast HD & some kernel tweaks. 
 
> What you're asking to do is technically possible, but the small additional
> cost of a second machine for an IDS gives a more manageable, secure
> solution.
IMHO, if one is really serious about IDS stuff one would have two boxes
listening on both the inside & the outside of the firewall plus a
separate "logging" fast network with a db server to which the Snorts
will send the logs. But I don't want to start a flame-war(tm) here ;)

HTH


> > -----Original Message-----
> > From: Linux Boy [mailto:cslinuxboy () hotmail com]
> > Sent: Thursday, December 20, 2001 1:12 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Running snort on a firewall
> >
> >
> > Hello Everyone,
> >
> >      I am new to snort.  I tried some examples on a LAN 
> > workstation, now I 
> > want to see and monitor it all.  We have a linux firewall running 
> > netfilter/iptables.  Can I run snort on the firewall without 
> > impacting the 
> > firewalls performace/security.  Any advise would be good.  Thanks in 
> > advance.
> >
> > Mike
> >
> > ------ Begin Geek CODE ------------------------------------
> > GCS/GCC d--(d++) s: a--<<a? C+++ L++++ P+ E- W++>>+++ N+ o+ 
> > K?? !!!!!!!!w  
> > O- M->L V PS+ !PE>PE!! Y++ PGP++ t+++@DATA !5 X+ !!!R->>R-- 
> > tv b++@!SAUNI DI 
> > D+ G e++>>AS400/HAL h++(h!) r-!r+++ y+
> > ------------ End of Geek CODE -----------------------------
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
> > http://explorer.msn.com/intl.asp.
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
/Saad Kadhi
---------------------------------------------------------------
bsdguy () docisland org
pgp keyid: 35592A6D
fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D
---------------------------------------------------------------
.sig made with the six^Hvi editor


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users