Snort mailing list archives
Re: Placing Snort
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 01 Sep 2004 11:54:29 -0400
At 05:30 AM 9/1/2004, Chandana Bandara wrote:
I implemented snort in this way .Internet ---------------> Router -----------------------> Firewall ---------------------> Snort--------------------> switch -----------------> LANam i correct ?
That would imply there's one right answer.Behind the firewall generally a pretty good place for a "low noise" monitoring station, as it's only going to see things making it past your firewall. It's also the lowest risk as it's harder for an attacker to target the snort box.
Some people put their snort sensor in front of the firewall so they can monitor all attacks, including those blocked by the firewall. You get a better view of what's going on, but a lot of noise too. You also have to be rather careful in the setup of the snort box, or use a one-way tap, to prevent attackers from exploiting you snort box and having a very nice session-hijacking tool at their disposal.
Typically boxes using an out-front tap have a second management interface going back to the lan switch so you can connect to acid, etc.
A drawing of this arrangement commonly looks like this:(sniffing-only) (management) +--------------------------------snort -------------------------------+ Internet ---------------> Router ---------TAP--------------> Firewall --------------------------------------> switch -----------------> LAN
In case that's mis-aligned, here's one that's spaced for fixed-width fonts:(sniffing-only) (management) +--------------------------------snort ------------------------------+ Internet ---------------> Router ---------TAP--------------> Firewall --------------------------------------> switch -----------------> LAN
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Placing Snort Chandana Bandara (Sep 01)
- Re: Placing Snort Matt Kettler (Sep 01)
- Re: Placing Snort Bill Parker (Sep 01)
- Re: Placing Snort Jose Maria Lopez (Sep 01)