RE: Snort Help - Network IDS

["David Gillett" <gillettdavid () fhda edu>]

  Good places for IDS are (depending on what you want it to see)
either just inside, or just outside, the firewall.
  But you don't want an IDS failure to bring down your network.
Fair enough -- I don't believe Snort has to be in-line, as long
as it can see the traffic.  If you don't mind requiring the
connection between firewall and switch be HALF duplex(*), you can 
insert a hub there to hang the Snort box off of.

* - WAN speeds are typically much lower than LAN speeds, so this
isn't really a hardship.  If you really truly need this to be
full duplex, you'll need a "tap" instead of a hub.

David Gillett


> -----Original Message-----
> From: Jason Haith [mailto:jhaith () genesissys com]
> Sent: Wednesday, April 14, 2004 1:22 PM
> To: securityfocus
> Subject: Snort Help - Network IDS
>
>
> Recently I posted a question on different types of monitoring and ids
> setups. I have decided to go with snort and have been using 
> it on a smaller
> network with no problem. However now, I need to move it to a 
> production
> network which will consist of around a 100 servers all linked 
> through 3com
> switches and going out through a watchgaurd firewall. I'm looking for
> different ways to implement this without setting up another 
> single point of
> failure device which our firewall is. I'm not confident 
> enough yet to risk
> something like that. I haven't found much information on 
> packet sniffing
> when it comes to multiple entry points, found some info on 
> wiretap, etc. but
> I've always received such great help on here I thought I 
> would ask before I
> decided on something. Would really appreciate any help, I'm 
> in a heck of a
> bind right now. Thanks.
>
>
> firewall
> |
> -3comswitch-servers
> -3comswitch-servers
> -3comswitch-servers
>
> ids?
>
>
> Jason Haith
> Systems Administrator
> Genesis Systems
> 5712 S. 77th St
> Omaha, NE 68127
> Phone: (402)592-1452
> Fax:   (402)592-3650
> Email: jhaith () genesissys com
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off 
> any course! All of our class sizes are guaranteed to be 10 
> students or less 
> to facilitate one-on-one interaction with one of our expert 
> instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field 
> pen testing experience in our state of the art hacking lab. 
> Master the skills 
> of an Ethical Hacker to better assess the security of your 
> organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------