Snort mailing list archives
RE: Alerts from DMZ
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 20 Nov 2001 18:32:39 -0800 (PST)
On Tue, 20 Nov 2001, Petriz, Pablo wrote:
Thank you Erek, it helps me a lot! but let me graph it to understand it better: External Net ----- Firewall --------- Internal Net | | [H]--(1)-- Snort --(2)--? | DMZ [H]Hub in DMZ (1)Read only cable from hub to stealth nic (IP 0.0.0.0) (2)Standard cable from 2nd NIC to Internal Net
That's it! This is a nice handy-dandy secure setup that works well in many networks, even large ones.
It looks strange but secure. I think that your comment on "Make sure your firewall rules don't allow _any_ traffic to the snort box to pass." it?s unnecessary because for the FW the Snort box doesn?t exists. It?s that right?
Well, the more you deal with security, the more paranoid you become. :) IMHO, I want all the levels of protection that I can have. In some cases, the second NIC has IPF running on it to prevent anyone on the internal net (except for the 'main management station'). A little paranoia is a healthy thing to have... :) As for the firewall rules, that's personal opinion. I usually tend to have explicit deny's for any traffic to the sensor on any IP. *shrug* It might be overkill, but I don't mind the extra security. Good luck and Happy Snorting! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts from DMZ Petriz, Pablo (Nov 20)
- Re: Alerts from DMZ Erek Adams (Nov 20)
- <Possible follow-ups>
- RE: Alerts from DMZ Petriz, Pablo (Nov 20)
- RE: Alerts from DMZ Erek Adams (Nov 20)
- RE: Alerts from DMZ Abe L. Getchell (Nov 20)
- RE: Alerts from DMZ Erek Adams (Nov 20)