Snort mailing list archives
Re: Snort Deployment Configurations
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 4 Feb 2011 09:02:12 -0500
A large part of answering the "where to deploy" question will be related to what are you are planning to look for or protect your network from. If your goal is to detect malware and client side attacks you might want to deploy closer to your gateway/firewall. Some people advocate deploying outside (ie. the Internet side) of the firewall. I'm not one of them, and if your new to snort (or IDS in general) I'd recommend staying inside your firewall for now. If you want to protect critical services, say your externally facing web farm, then you want to deploy as close to the assets you're protecting as you can get. If the devices you want to protect are behind a NAT device you probably want to deploy at a point where you can see the real external and the real internal addresses involved. Also, are you planning to deploy inline as an IPS or passively as an IDS? If your new to snort I'd recommend starting off with a passive IDS deployment until you are comfortable with tuning and rule management. Even devices I plan to deploy inline, I typically will deploy them in a passive mode until they are well tuned and then cut them over to inline mode. Hope that helps, Wally On Thu, Feb 3, 2011 at 7:31 PM, Michael Lubinski <michael.lubinski () gmail com> wrote:
I find myself thinking more and more in the realm of NSM and Snort. I have been running different theoretical deployment situations in my head on how / where I would deploy a snort sensor. I thought "Why don't I just ask the people that work with it everyday." I would imagine running Snort on the outside of your network would net a different set of rules being active as would a Snort sensor running internally. Does anyone run Snort in multiple locations with varied purposes like this example? Before I started to really dig into snort I always thought of it as a inline gateway monitor / filter between you and the world, but the more I learn that it can be much more universal depending on the rules included. What other considerations might someone new to snort such as myself overlook at first thought? ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Deployment Configurations Michael Lubinski (Feb 03)
- Re: Snort Deployment Configurations waldo kitty (Feb 03)
- Re: Snort Deployment Configurations Martin Holste (Feb 03)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Crusty Saint (Feb 07)
- Re: Snort Deployment Configurations Ray Caparros (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Bamm Visscher (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Joel Esler (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)