RE: Snort Setup Suggestions? *NEWBIE QUESTION*

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

Some suggestions...

There should be two network interfaces: One for the sensor, and one for management.  The sensor interface will run 
un-addressed, so you don't have to worry about folks on the Internet firing exploits at that interface.  The one on the 
LAN/WAN should be addressed, privately if possible.  However, being a college environment, that may not be possible, so 
you'll want to use IPSec policy in conjunction with a simple border ACL to restrict access to that node from un-trusted 
networks (actually, all non-admin networks).

As far as IIS is concerned, IIS is not much of a liability in and of itself.  The liability is that folks who don't 
have a clue (or don't care) do not take the time to understand how it works, or the measures required to make it 
function in a safe manner.  As long as you understand the threats and lock it down, you're just fine.  Read the MS best 
practices, and make use of IIS Lockdown, URLScan, etc.  Also use integrated authentication to the extent possible, and 
check all of your ACL's.

In a nutshell, you're not at a total disadvantage using Win32.  You have to go with what you know, right?  Just apply 
some common sense, and sound network security practices in general, and it'll be fine.

Cheers

Keith

-----Original Message-----
From: Charles Hamby [mailto:fixer () gci net]
Sent: Monday, August 12, 2002 1:10 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Setup Suggestions? *NEWBIE QUESTION*


I'm getting readying to helping the sysadmin from my college setup a Snort sensor (Win32), and I'd like to get some 
input...


The network Snort's being installed on is non-firewalled (I know, I know, I've been arguing with him about this for a 
year, but to no avail) Win2k domain.  Neither of us know enough about Linux to know with a Linux version, so I've 
decided on the win32 distro.  They're using an entirely switched network, so since getting a tap would cost money 
(which they don't have), we're looking at setting up the Snort sensor at the network ingress point.  The only problem I 
have is that doing so will require adding IIS in order to view the logs (can you say security hole?) unless the 
sysadmin wants to walk down to the comm. Closet several times a day to check the snort logs (doubtful).

Does anyone know of another way around this (as you can tell, I'm really new to Snort).  Thanks!


-Charles


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users