Re: IDS placement

[Michael Boman <michael.boman () securecirt com>]

On Mon, 2003-07-07 at 14:48, Always Bishan wrote:
> Now the queries are:
> 1. What would be the best place to deploy Snort
> sensors and Manager? PLease do send your expert
> commnets!

It all depends on what you want to detect. If it is attacks from the
internet and between the different zones you are worried about I'd put a
snort instance for each interface on "IPtables Firewall" box.

If you are worried about attacks within each zone I can't give you any
advice that doesn't cost you (or your client) any extra.

> 2. The switches don't have a port mirror, so how do I
> monitor traffic there?

Well, you can't unless you change the switch for a hub...

> 3. What changes shall I make in the network diagram to
> implement the best possible solution?

Hard to say as the intent of the zone is not very clear.

> Note: Client doesnot want to spend anything extra on
> hardware.

Then you have to make compromises with the design and setup. Life in
IT/Security seems to be all about compromises now days..

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

Attachment: signature.asc
Description: This is a digitally signed message part