Snort mailing list archives
Re: Using snort on a switched network
From: Erik Fichtner <emf () servervault com>
Date: Sun, 6 Jan 2002 14:12:12 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jan 06, 2002 at 11:21:37AM -0700, Linux Boy wrote:
One quick question. How does snort do NID on a switched network? Is it less productive on a switched network? The reason is is that I am on a switched network and would like to use snort. However, my whole network is behind our firewall and many people suggested not to run snort on the same machine as the firewall. So if I run snort on another machine outside the firewall, but on the same network as the firewall (also switched), will snort detect port scans, etc. directed towards my firewall and machines behind it? If so, how does it work? Thanks in advance.
This should be a FAQ. There's several ways you can do this. 1) You can run snort on the firewall. This is a reasonable way to do things if you have distributed firewalls, or you have a centralized firewall that is way overpowered for the amount of network traffic you pass. (If you're running a nice P3 machine, you won't have to worry about it unless you're passing about 20-30Mbit/sec of traffic, and then you probably have a budget that allows for something better.) The reason people tell you not to do this is more because it adds a potential vector for compromise of the firewall should bugs in Snort be discovered, and less because of a performance issue. 2) If you have a midrange/high-end managed switch, you undoubtably have a feature called a "mirror port" or a "span port". RTFM. This allows you to duplicate all traffic seen on a vlan into one port for IDS purposes. 3) You can buy a cheap hub and plug it in between your uplink and your core switch. Given that your LAN is probably 100Mbit (no one runs 10mbit switches anymore, right?) and your uplink to the world via the firewall is undoubtably less than 100Mbit; your uplink is *already* a bottleneck. You won't notice the hub. (do make sure you force the switch uplink port to half duplex, or you'll spend hours tracking down weird network issues). Then plug your IDS into the hub. A couple of switches, hubs, spanning-tree, and (dual port nic+two instances of snort | two snort boxes) can solve your single point of failure problem. 4) You can buy a passive inline tap. search the web. These are nifty devices, but they do screw your flows up and only allow you to see one direction of traffic. Not reccomended unless you have a magic box that can reassemble the flows on the back side of the taps and distribute them to your NIDS machines properly (like a TopLayer AppSwitch) 5) You can run snort everywhere you can, on every host, everywhere, and use centralized logging (syslog, snortdb, whatever) to collect data. This is a management hassle, but it also lets you fine tune each host fairly well. YMMV. You should have centralized logging *anyway*. - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8OKGLQ7EzrewLMS0RAgRVAJoDT6LGIpAYirOCdAm6UdCr9FVnSACg10N4 FvdGWHLlUCcl7wk+0R4lBLY= =/KKM -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort on a switched network Linux Boy (Jan 06)
- Re: Using snort on a switched network James (Jan 06)
- Re: Using snort on a switched network Erik Fichtner (Jan 06)
- Re: Using snort on a switched network Jason Costomiris (Jan 06)
- RE: Using snort on a switched network Blue Knight (Jan 06)