![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Home_net/External Net question
From: Seth Art <adidas30 () yahoo com>
Date: Thu, 9 Sep 2004 08:29:45 -0700 (PDT)
Thanks John. I am in fact not worried about protecting the networks from each other. I am much more concerned with protecting each from the outside. --- John Duksta <jduksta () gmail com> wrote:
On Wed, 8 Sep 2004 13:34:53 -0700 (PDT), Seth Art <adidas30 () yahoo com> wrote:Background: I have 2 firewalls, each monitoring 3 subnets. Subnets a, b, and c and VPN pool1 are goingout/comingin though firewall one. Subnets d, e, and f and VPN pool2 are goingout/comingin though firewall two. On my sensor inside of Firewall 1 HOME_NET is [a,b,c,vpnpool1] On my sensor inside of Firewall 2 HOME_NET is [d,e,f,vpnpool2] EXTERNAL_NET on both are !$HOME_NET a) keep the home_nets the same but make a newvariablecalled entire_home_net and include all 6 subnetsandboth vpn pools and negate THAT for theexternal_netb) add subnets a-f and both vpn pools to thehome_netvar on each sensor (i don't think so)With the way the majority of the stock snort rules are written (EXTERNAL_NET -> HOME_NET), option a and option b end up being essentially the same. For option a, if you have traffic going from net C to net F, it's not going to trigger a rule because you won't get an address match ( C -> F is HOME_NET to ENTIRE_HOME_NET, thus no match.) You're really going to have to make this determination based upon your security policy. Do you consider each environment (Nets A,B,C,VPN Pool1 and Nets D,E,F, VPN Pool 2) to be a threat to each other? Are there resources in each group that need to be kept separate or are these just two different sites, each with the same kind of users and security policy and traffic flowing freely between them? If the latter, I would recommend adding all your possible networks (A-F, VPN Pools 1 and 2) to your home net to reduce your FPs. HTH, -j -- John Duksta <jduksta () gmail com> Can't sleep, clowns will eat me.
===== __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on Cisco 6509 Network Intern (Aug 30)
- Re: Snort on Cisco 6509 Rich Adamson (Aug 30)
- Home_net/External Net question Seth Art (Sep 08)
- Re: Home_net/External Net question John Duksta (Sep 09)
- Re: Home_net/External Net question Seth Art (Sep 09)
- Home_net/External Net question Seth Art (Sep 08)
- Re: Snort on Cisco 6509 Rich Adamson (Aug 30)
- <Possible follow-ups>
- RE: Snort on Cisco 6509 SN ORT (Aug 31)