Re: hardware setup for snort

["Keith W. McCammon" <mccammon () gmail com>]

What you're describing is an in-line setup:

ISP -> Router -> Snort -> Firewall

This is possible using the two-NIC configuration that you describe. 
And if you plan to deploy some type of active response, this setup is
required, to allow Snort (or some add-on) to reset malicious
connections.

A less intrusive alternative, however, would be the use of a network
tap, which is capable of relaying Firewall <-> Router traffic, while
sending a copy to your sensor.  There are a couple of advantages to
using taps:

- On a busy network, adding another routing device may affect
performance.  Taps, in general, introduce very little latency, if any.
 They're just relays.

- If that routing device dies--and a server-based sensor is probably
more likely to die than a dedicated routing appliance--you have to
manage a hot-spare, or cut the sensor out of the loop to return to
service.  If the tap dies, network performance is uninterrupted--you
lose some sensor data, but your network is up.

----- Original Message -----
From: Chris Scott <cscott () sge com>
Date: Wed, 04 Aug 2004 16:25:03 +1000
Subject: [Snort-users] hardware setup for snort
To: snort-users () lists sourceforge net

 

Just a question for the hardware requirements of a snort install. My
internet connection plugs into a router through to a firewall then
through to the internal network. With this setup could i put the snort
box in between the router and the firewall? If so my understanding is
that this would need two nic's in the snort box, is this how snort is
supposed to be set up? thanks Chris
 
 ------------------------------------------------------- This SF.Net
email is sponsored by OSTG. Have you noticed the changes on Linux.com,
ITManagersJournal and NewsForge in the past few weeks? Now, one more
big change to announce. We are now OSTG- Open Source Technology Group.
Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users