Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Home_net/External Net question

From: Seth Art <adidas30 () yahoo com>
Date: Thu, 9 Sep 2004 08:29:45 -0700 (PDT)
Thanks John.  I am in fact not worried about
protecting the networks from each other.  I am much
more concerned with protecting each from the outside.




  
--- John Duksta <jduksta () gmail com> wrote:


On Wed, 8 Sep 2004 13:34:53 -0700 (PDT), Seth Art
<adidas30 () yahoo com> wrote:

Background:

I have 2 firewalls, each monitoring 3 subnets.

Subnets a, b, and c and VPN pool1 are going

out/coming

in though firewall one.
Subnets d, e, and f and VPN pool2 are going

out/coming

in though firewall two.

On my sensor inside of Firewall 1 HOME_NET is
[a,b,c,vpnpool1]
On my sensor inside of Firewall 2 HOME_NET is
[d,e,f,vpnpool2]

EXTERNAL_NET on both are !$HOME_NET

a) keep the home_nets the same but make a new

variable

 called entire_home_net and include all 6 subnets

and

both vpn pools and negate THAT for the

external_net


b) add subnets a-f and both vpn pools to the

home_net

var on each sensor (i don't think so)


With the way the majority of the stock snort rules
are written
(EXTERNAL_NET -> HOME_NET),
option a and option b end up being essentially the
same. For option a,
if you have traffic going
from net C to net F, it's not going to trigger a
rule because you
won't get an address match ( C -> F
is HOME_NET to ENTIRE_HOME_NET, thus no match.)

You're really going to have to make this
determination based upon your
security policy. Do you
consider each environment (Nets A,B,C,VPN Pool1 and
Nets D,E,F, VPN
Pool 2) to be a threat
to each other? Are there resources in each group
that need to be kept
separate or are these
just two different sites, each with the same kind of
users and
security policy and traffic flowing
freely between them? If the latter, I would
recommend adding all your
possible networks (A-F,
VPN Pools 1 and 2) to your home net to reduce your
FPs.

HTH,

-j

-- 
John Duksta <jduksta () gmail com>
Can't sleep, clowns will eat me.




=====


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: