Snort mailing list archives
Re: Snort Deployment
From: Joe Pampel <jpampel () paladyne com>
Date: Mon, 3 May 2010 11:13:36 -0400
Good questions.. :) Perhaps the most general answer is that it comes down to your own security policy. FWIW I've long been fond of putting sensors outside and inside. What's coming at you, and what is getting through? Trust but verify and all that... A good tap makes this simple and you don't need lots of interfaces. For example, I've good luck with these guys: http://www.vssmonitoring.com/products/a_taps.asp You can tap a bunch of places and feed all of them into a single gig-E which then goes into your snort sensor. The tap has no L2 presence so it cannot be detected. If you have a good box for the sensor and not tons of traffic you can get by with 2 interfaces. I do like watching traffic outside so I can see what's getting tossed at us. Granted most of it is automated, but there are some interesting events out there that the firewall logs would not ID with the same granularity. I like the detail. If you have inside and outside monitored, you don't really need DMZ since you already have DMZ traffic at your choke points (probably). Again, I am sure some folks do monitor every DMZ. No right or wrong, it all comes down to your policy. Cheers, Joe -----Original Message----- From: akos.daniel () db-soft hu [mailto:akos.daniel () db-soft hu] Sent: Monday, May 03, 2010 9:46 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Deployment Hi all, In case of this Topic I can understand the answers, but is it considerable to use IPS before the firewall as well? I mean if I put the IPS behind the FW then I loose the monitoring for attacks against the firewall. Today firewalls terminate many services like sslvpn, ravpn, auth services... and for those services they have many 'shortcomings' (just an example is the Sockstress TCP DoS attacks). What would be the best practice for an IPS topology? If the firewall has not just 2 interfaces but many more DMZs then should we implement as many IPS as many Firewall interfaces we have? Is there a basic concept for the IPS topo or depends it always on the business requirements /what the management want to protect.../ ?
I usually recommend that people implement Snort behind a firewall. As for interfaces, 2 is a good start. One for management, one for sniffing. However, if you have a tap, you might need 3 depending on the model of tap. J On Mon, May 3, 2010 at 4:30 AM, Kum Weng Luey <kumwengluey () gmail com> wrote:Hi guys, I have been trying out snort for quite some time now and it works great. I do want to try implementing snort in a live environment but am kinda clueless how. I want to sniff for traffic before it hits the firewall and enters the internal network. What would be the most optimal setup for the PC and how many interfaces do I need? Hope to get some advice. Thanks a lot. Regards, KW ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s). ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Deployment Kum Weng Luey (May 03)
- Re: Snort Deployment Joe Pampel (May 03)
- Re: Snort Deployment Joel Esler (May 03)
- Re: Snort Deployment akos . daniel (May 03)
- Re: Snort Deployment Joe Pampel (May 03)
- Re: Snort Deployment Joel Esler (May 03)
- Re: Snort Deployment Kum Weng Luey (May 03)
- Re: Snort Deployment JJ Cummings (May 04)
- Re: Snort Deployment akos . daniel (May 03)