Snort mailing list archives

RE: Alerts from DMZ

From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Tue, 20 Nov 2001 18:06:05 -0300

Thank you Erek, it helps me a lot! but let me graph it
to understand it better:

 External Net ----- Firewall --------- Internal Net
                       |                      |
                      [H]--(1)-- Snort --(2)--´
                       |
                      DMZ
[H]Hub in DMZ
(1)Read only cable from hub to stealth nic (IP 0.0.0.0)
(2)Standard cable from 2nd NIC to Internal Net 

It looks strange but secure. I think that your comment on 
"Make sure your firewall rules don't allow _any_ traffic 
to the snort box to pass." it´s unnecessary because for the
FW the Snort box doesn´t exists. It´s that right?

Thank you again Erek.

PABLO

-----Mensaje original-----
De: Erek Adams [mailto:erek () theadamsfamily net]
Enviado el: martes 20 de noviembre de 2001 13:50
Para: Petriz, Pablo
CC: snort-users () lists sourceforge net
Asunto: Re: [Snort-users] Alerts from DMZ


On Tue, 20 Nov 2001, Petriz, Pablo wrote:

I want to install Snort with a stealth interface to sniff on
DMZ and i want Snort to send alerts to some NT boxes on the
Internal Net in a secure (best secure) way.

I have this instalation:

External Net ----- Firewall ------- Internal Net
                      |
                      |- Snort
                      |
                     DMZ

The FW allows some traffic btw ExtNet<->DMZ, some
from IntNet->DMZ and blocks btw ExtNet<->IntNet.


Add a second NIC card on the snort box.  Connect 2nd NIC to the internal net
with an IP.  Make sure your firewall rules don't allow _any_ traffic to the
snort box to pass.  Build a read only cable and place that cable on your
stealth interface.  Now, your box will be happy, you can connect to it from
inside your net, but no other way.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerts from DMZ Petriz, Pablo (Nov 20)
- Re: Alerts from DMZ Erek Adams (Nov 20)
- <Possible follow-ups>
- RE: Alerts from DMZ Petriz, Pablo (Nov 20)
  - RE: Alerts from DMZ Erek Adams (Nov 20)
    - RE: Alerts from DMZ Abe L. Getchell (Nov 20)