Snort mailing list archives
RE: Preferrable location?
From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 20 Nov 2001 00:28:40 -0500
Hi Neil, To (hopefully) answer your questions: A) There are many schools of thought on this question. Try searching the archives of the SecurityFocus IDS list (http://www.securityfocus.com/); you'll find many good answers and opinions there. I, personally, would put one sensor on the outside of the firewall and one sensor on the inside of the firewall. This will allow you to see what kinds of attacks are launched at your internal network and perimeter devices but don't necessarily make it past your firewall, as well as lets you see what successfully slips past your firewall into your internal network. If only one sensor is available to be used, I would place it inside of the firewall. This way, you are assured to only see what makes it past your firewall and into your internal network... The stuff you _really_ have to worry about. B) Well, it depends what purpose the two NICS are going to serve. You could always have two interfaces sniffing two different segments of your internal network. More commonly, you would have one interface which is acting as the sniffing interface and one interface for out-of-band management. This is most likely what you're referring too, and seen as a standard practice in most large IDS implementations. It's a good idea, if possible, to segment off the out-of-band management interface onto it's own protected (preferably physically separate) network. If an intruder were too compromise one of these boxes, it's 'game over'. Not only can you not trust your forensic data for your own purposes at that point, but it will never hold up in a court of law. C) Heh, good question. I'm sure you'll get many opinions from the folks here about what OS is the best for Snort. =) If I remember correctly, Snort is developed on one of the BSDs. That makes a strong case for running Snort on that platform IMHO. However, I personally use Linux as my choice for network sensors as it is what I am familiar with and can most easily manage. Performs great on Linux and has rock solid stability with a little work. I would steer away from implementing it on the Windows platform, not because the Win32 port isn't of inferior quality or lacks features, it's a great piece of code, but because of security issues in the underlying OS... And the recent stance of Microsoft with full disclosure... And yadda yadda yadda... =) Hope I helped. Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ronneil Camara Sent: Monday, November 19, 2001 9:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Preferrable location? Hi, I've got some questions. a) Where would be the preferrable location of snort box on a network with firewall (internal, dmz)? Do I need more than 1 snort? b) What would be the advantage of having 2 nics on a snort box? c) What o.s. is recommended for snort? Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preferrable location? Ronneil Camara (Nov 19)
- RE: Preferrable location? Abe L. Getchell (Nov 19)
- RE: Preferrable location? Jason Lewis (Nov 19)
- Re: Preferrable location? Erek Adams (Nov 19)