Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort in front of WAF or behind?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 03 Feb 2010 15:32:03 +1300
On 02/03/2010 11:24 AM, Jefferson, Shawn wrote:

I’m putting in a WAF in the next two weeks, and I’m deciding on where
to put it, in front of my network tap with Snort, or behind the
network tap with Snort.  I’m thinking it’s better to put it in front
of the network tap with Snort, and let the WAF do the inspection,
filtering and alerting of HTTP(S) traffic.  A couple of benefits of
doing it this way that I see:
 
1. WAF will know more about how the HTTP applications are configured
and what is good and what is bad input.
2. It will decrease the load (marginally) on the Snort box, since it
won’t have to inspect the traffic that is already going to be filtered
at the WAF.
 
Anybody have input on this scenario?  It seems just like the “Snort in
front of the firewall or behind the firewall” debate… but I might be
missing something.
 

We're doing this. First layer is a firewall to block all the crud (ie
block everything but web). Second is the WAF: it acts as HTTPS
terminator (ie any HTTPS traffic ends on the WAF - the WAF talks to
backends over HTTP), can block HTTP-specific bad things, AND HAS GREAT
LOGGING (cannot stress that enough). Then snort lies behind the WAF and
(as it's HTTP instead of HTTPS) gets to see what's left over. Obviously,
if your WAF is perfect, you'll never see snort trigger - well - actually
snort would also have to be perfect for that to be true - but you get
the point ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: