Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort Implementation Guide - ACID-MySQL-Redhat7 .2

From: Jack Lyons <jack.lyons () martinagency com>
Date: Tue, 23 Jul 2002 15:12:00 -0400
I agree about the SPOF statement.

When you say


If the switches support it, dump the hubs in the DMZ and Internal and
use port monitoring.


That makes sense but I think that you could almost make an argument to get
rid of the switches.  
- they are more complex to maintain
- they are more expensive
- the dedicated bandwidth and full duplex to the machine maynot be an
issue....usually the bottleneck will be the connection to the internet or
the firewall.

WRT one hub....what about a L2 switch with 3 seperate VLANs.  Depending on
the switch you can span a port for each vlan and point it at the IDS
sensor...you would have to be careful about oversubscribing the port
connected to the IDS Sensor




-----Original Message-----
From: Jason [mailto:jason () brvenik com]
Sent: Tuesday, July 23, 2002 2:29 PM
To: twig les
Cc: Jack Lyons; 'Iñaki_Martínez'; Steve Scott;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Implementation Guide -
ACID-MySQL-Redhat7 .2


I think that the hubs can be a liability for a couple of reasons.

1) Additional SPOFs. But if you only have a hub and can't get funding
then a little downtime to the cloud is likely acceptable on failure.

2) You will definitely miss any host to host traffic that 
does not cross
a boundary. In some cases this may be acceptable but I would 
argue that
in nearly all cases of a DMZ it is not and anything larger 
than a small
network should pay attention to internal host to host traffic.
Intellectual Property violations and outright data theft can kill a
company quick. Is the number still 80% of attacks are internal?

If the switches support it, dump the hubs in the DMZ and Internal and
use port monitoring.

WRT One hub. NO,NO,NO,NO,NO,BAD DOGGY!
If you own one box on any segment you can see and get to any other
connected segment.

Jason.

twig les wrote:


Actually I just looked at the conceptual placement and
thought it made a lot of sense.  The hubs are the
cheapest way to do this, and if you save $150 while
increasing the confusion, then IMHO it's not worth it.


--- Jack Lyons <jack.lyons () martinagency com> wrote:

I would like to get people's view points on using 1
hub for all three
locations.

As long as the IP addressing scheme are different,
it shouldn't matter
correct?

Also, you can buy 4 port hubs for under
$100...doesn't seem to expensive.


[snip old stuff]




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: