Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network Topology Question

From: Erek Adams <erek () snort org>
Date: Tue, 5 Aug 2003 10:31:10 -0400 (EDT)
On Sat, 2 Aug 2003, Brandon Hanks wrote:

[...snip...]


Local workstations will be placed on separate network behind firewall.
The firewall uses a built-in IDS.  Does this network need an external
and/or internal Snort box to filter potential security violations?
I've read where the amount of traffic workstation networks receive would
create a bottleneck for that network.  These workstations will be used
to surf Internet, send/receive email, and play online games.  I would
greatly appreciate everyone's ideas about how to create a secure network
infrastructure.  Thanks...


If you're using a Firewall, you 'really' don't need a Snort box on the
outside unless you're just bored and want lots of data.  Sitting on a
cable modem, I get _HUGE_ amounts of Messenger spam that's dropped at the
door.  I don't care and don't want to see it.  If you're using a DB, that
DB would be quite large in just one day...

Keep in mind that unless you're using a configureable switch that can do
port mirroring, you're going to have to put in something like a 'dumb' hub
before your DMZ switch.

With regards to your workstations:  If you need, ignore traffic to/from
them using pass rules or BPF filters [0].  If you're worried about
performance, use the BPF filter.  But quite honestly, if you're only
talking about a few computers on a Cable/DSL line, don't sweat it.  Decent
hardware can handle almost anything you throw at it at those speeds.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: