Snort mailing list archives
Re: Snort in a H.A. environment.
From: "Federico Lombardo" <egopfe () hotmail com>
Date: Mon, 20 Jan 2003 11:38:09 +0100
Ok, but my firewall are very strong machines. BTW the solution of creating an IDS-Transport-Network (private adressing) between router and firewall is good. ----- Original Message ----- From: "Patrice Boulanger" <pboulanger () fr externall net> To: "Federico Lombardo" <egopfe () hotmail com> Sent: Monday, January 20, 2003 11:09 AM Subject: RE: [Snort-users] Snort in a H.A. environment.
I think you should prefer a solution where your snort sensor will sniff in
front of the firewalls, like this:
INTERNET
|
| Stealth NIC
+-------------------+
| |
| |
----------+---------- |
| | |
| | |
Fw A Fw B |
| LAN | |
|---------+---------| |
| ------+------
| | Snort |
| -------------
| |
| Adm. NIC |
|-------------------|
(I hope this diagram will be clear enough ;-)
You should have two NICs on your Snort box:
- one is in stealth mode (no IP address on it) to sniff network traffic
- another is to send alerts and for administrative purposes (SSH,
Monitoring
...) Thus, your snort box cannot be addressed directly from Internet. Moreover, you said that you have a very high traffic to monitor ?? It's an additionnal good reason to NOT overload your firewalls !!!! Network monitoring and detection intrusion
are
very expensive in term of CPU and memory usage. Use a dedicated system ... Hope it will help you ! Regards, -----Message d'origine----- De : snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]De la part de Federico Lombardo Envoyé : lundi 20 janvier 2003 10:51 À : Patrice Boulanger; snort-users () lists sourceforge net Objet : Re: [Snort-users] Snort in a H.A. environment. And why ? Is the only way to monitor trpassing traffic in real time. Using span ports in a switch ? I don't think this solution will solve my problems... I've a very high traffic MAN. ----- Original Message ----- From: "Patrice Boulanger" <pboulanger () fr externall net> To: "Federico Lombardo" <egopfe () hotmail com> Sent: Monday, January 20, 2003 10:28 AM Subject: RE: [Snort-users] Snort in a H.A. environment.Yes it's a stupid problem... I don't think it's a good idea to run snortonyour firewalls ! -----Message d'origine----- De : snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]De la part de Federico Lombardo Envoyé : lundi 20 janvier 2003 10:19 À : snort-users () lists sourceforge net Objet : [Snort-users] Snort in a H.A. environment. Hi all, I've a stupid problem. I've in a production scenario a checkpoint Firewall-1 Cluster-XL
Firewall
inActive-StandBy configuration. On the active Node-1 (active) i wanna run snort, and no problems withthis.The problema I want to solve is: How I can make possible to start snort on the other Node-2 when it
became
active, and how to stop snort in Node-1 when it became standby ??? Every solution is appreciated. Regards, Federico ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Glenn Forbes Fleming Larratt (Jan 20)
- Re: Snort in a H.A. environment. Erek Adams (Jan 20)
- Re: Snort in a H.A. environment. Bennett Todd (Jan 21)
- <Possible follow-ups>
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)
- Re: Snort in a H.A. environment. Federico Lombardo (Jan 20)
- Re: Snort in a H.A. environment. Saad Kadhi (Jan 20)