RE: Alerts from DMZ

[Erek Adams <erek () theadamsfamily net>]

On Tue, 20 Nov 2001, Petriz, Pablo wrote:

> Thank you Erek, it helps me a lot! but let me graph it
> to understand it better:
>
>  External Net ----- Firewall --------- Internal Net
>                        |                      |
>                       [H]--(1)-- Snort --(2)--?
>                        |
>                       DMZ
> [H]Hub in DMZ
> (1)Read only cable from hub to stealth nic (IP 0.0.0.0)
> (2)Standard cable from 2nd NIC to Internal Net

That's it!  This is a nice handy-dandy secure setup that works well in many
networks, even large ones.

> It looks strange but secure. I think that your comment on
> "Make sure your firewall rules don't allow _any_ traffic
> to the snort box to pass." it?s unnecessary because for the
> FW the Snort box doesn?t exists. It?s that right?

Well, the more you deal with security, the more paranoid you become.  :)
IMHO, I want all the levels of protection that I can have.  In some cases, the
second NIC has IPF running on it to prevent anyone on the internal net (except
for the 'main management station').  A little paranoia is a healthy thing to
have... :)  As for the firewall rules, that's personal opinion.  I usually
tend to have explicit deny's for any traffic to the sensor on any IP.  *shrug*
It might be overkill, but I don't mind the extra security.

Good luck and Happy Snorting!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users