Snort mailing list archives
Re: IDS placement
From: Michael Boman <michael.boman () securecirt com>
Date: 07 Jul 2003 15:32:48 +0800
On Mon, 2003-07-07 at 14:48, Always Bishan wrote:
Now the queries are: 1. What would be the best place to deploy Snort sensors and Manager? PLease do send your expert commnets!
It all depends on what you want to detect. If it is attacks from the internet and between the different zones you are worried about I'd put a snort instance for each interface on "IPtables Firewall" box. If you are worried about attacks within each zone I can't give you any advice that doesn't cost you (or your client) any extra.
2. The switches don't have a port mirror, so how do I monitor traffic there?
Well, you can't unless you change the switch for a hub...
3. What changes shall I make in the network diagram to implement the best possible solution?
Hard to say as the intent of the zone is not very clear.
Note: Client doesnot want to spend anything extra on hardware.
Then you have to make compromises with the design and setup. Life in IT/Security seems to be all about compromises now days.. Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- IDS placement Always Bishan (Jul 07)
- Re: IDS placement Michael Boman (Jul 07)