Re: Questions: Filtering ESP & Duplicate traffic

[Jason Haar <Jason.Haar () trimble co nz>]

Joel Esler wrote:
> As far as filtering out things like ESP and VPN traffic, I see no
> reason to inspect it if it's encrypted.  (That's what encryption is
> for right? To make stuff unreadable?)
That's what we do on our sensors. We monitor our (VPN-based) WAN links
with snort, and depending on where the SPAN is done (which depends on
switch type, VLANs and how good a job the network group do in
implementing it), may contain a fair chunk of IPSec/GRE traffic. So we
filter that out to save CPU cycles. Also, where network-based DMZ
backups are done, we filter out the backup apps ports as well - because
otherwise snort gets hammered dealing with all that extreme traffic.

Obviously there is always a price to pay: anything you filter out means
snort cannot detect an issue within that protocol. C'est la vie.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users