AW: Help with where to place a Snort sensor! -newbi e questions-

["Poppi, Sandro" <Sandro.Poppi () wacker com>]

Hi Daniel
> Hello!
>
> I guess you will find the following questions are basic but I do not
> have so much professional background and practical work in network
> field.

You'll get it quite soon when working with snort ;)

> I was reading the paper from Jon Bull "Snort's Place in a Windows 2000
> Environment".
> He says:
> "
>
> [ Internet ] -------(1) ------- [ Router ] -------(2) ------- [ LAN ]
>
> (Fig 1)
>
> On a simple LAN with no DMZ (see figure 1) there are two 
> optimal places
> to locate your sensor, between the router and the Internet, 
> and between
> the router and LAN. The first configuration, denoted with a (1), will
> detect all attacks against the network, but will not show you which
> attacks actually get through the router and into the LAN. The second
> configuration, denoted with a (2), will show you which 
> attacks enter the
> LAN."
>
> I suppose that between the router and the LAN (constituted by some
> computers for instance), there is a hub or a switch. Thus, if 
> I want to
> place my IDS in location 2, I can run Snort in a Linux box, with the
> interface set up in promiscuous mode and stealth mode and connected to
> the SPAN port of the switch or one port of the hub, is it right?

In general yes. If the hub supports 10/100 Mb/s then you'll have 2 hubs in
one which means that if the snort box is using 100Mb/s and the router only
10 you won't see anything except broadcasts.

> And then, like this, with this configuration, I will be able to detect
> attacks coming from the outside but also, from the inside of 
> the LAN and
> attacks between computers inside the LAN (still constituted by some
> computers and connected to a switch/hub that is in turn 
> connected to the
> router), is it also right?

This depends on the setup. If you only have a small LAN on a single speed
hub where the router is also connected you're right. But if there are more
segments connected via routers in your LAN you only see traffic going
through the internet router not internal LAN traffic.

When your LAN is set up with switches you'll have some more issues: First if
you only have one switch which is your LAN you'll have to make sure your
snort box can handle all traffic generated by all boxes you wish to snort,
that means if your internet router and your LAN boxes have all 100Mb/s
connections and you want to span all ports (presuming your switch supports
vlan mirroring) you will have to use a Gig port to make sure no packet is
lost. This is true as long you're not having more than 10 100 Mb/s Half
duplex or 5 100Mb/s Full Duplex connections (if you can make sure your LAN
boxes don't sturate 100Mb/s then you can think of some more connections).

If you're using VLANs spanned over more than 1 switch you'll have a much
harder job. You then have to think carefully which information you are
interested in and put the snort sensors accordingly into the LAN (I don't
think you will be able to do this with a single snort sensor).

I think snort can handle GB when the snort box and snort is highly tuned
(not tested full GB speed yet).

> However, if I want to place my IDS in location 1, how I could do that?
> Can I still use a Linux box with SNORT installed in it, with the
> interface set up in promiscuous mode and stealth mode and directly
> connected to the Internet and the other interface connected to the
> router?

First question: Are you really interested in getting all that portscan, code
red, nimda stuff in your logs which might be filtered by your router
(supposed there is some kind of filtering or firewall set up)?

If you are then you could use a so-called tap (passive) which splits the
network cable into two streams (one receive/one transmit stream for a full
duplex connection) which in turn can then be connected to two interfaces in
your snort box. This setup requires channel bonding to reassemble on your
snort box which works very well (see
http://sourceforge.net/projects/bonding).

Or you could set up a so-called Gateway-IDS which is put between the
internet and the router, but I wouldn't recommend that because of

1) single point of failure (if a tap fails snort doesn't see anything more
but the connection router-internet is still working)
2) your snort box is exposed to the internet and could be hacked eventually

> How I could manage my IDS then?

Use a third interface and put it into your internal LAN while the two
interfaces connected to the tap are configured to be stealth interfaces and
the tap can only read data but there's no way to send data via a tap,
therefor your snort box won't be visible outside.
 
One other thing to remember is: Alarming/Reporting. When dealing with more
than one sensor think of centralizing alarming and reporting to a dedicated
box so you don't get performance issues on the snort box itself.

> Thank you very much for your help! :)

Well, I hope this helped ;)

Ciao,
Sandro

----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users