Snort mailing list archives
RE: Snort Implementation Guide - ACID-MySQL-Redhat7 .2
From: Jack Lyons <jack.lyons () martinagency com>
Date: Tue, 23 Jul 2002 15:12:00 -0400
I agree about the SPOF statement. When you say
If the switches support it, dump the hubs in the DMZ and Internal and use port monitoring.
That makes sense but I think that you could almost make an argument to get rid of the switches. - they are more complex to maintain - they are more expensive - the dedicated bandwidth and full duplex to the machine maynot be an issue....usually the bottleneck will be the connection to the internet or the firewall. WRT one hub....what about a L2 switch with 3 seperate VLANs. Depending on the switch you can span a port for each vlan and point it at the IDS sensor...you would have to be careful about oversubscribing the port connected to the IDS Sensor
-----Original Message----- From: Jason [mailto:jason () brvenik com] Sent: Tuesday, July 23, 2002 2:29 PM To: twig les Cc: Jack Lyons; 'Iñaki_Martínez'; Steve Scott; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Implementation Guide - ACID-MySQL-Redhat7 .2 I think that the hubs can be a liability for a couple of reasons. 1) Additional SPOFs. But if you only have a hub and can't get funding then a little downtime to the cloud is likely acceptable on failure. 2) You will definitely miss any host to host traffic that does not cross a boundary. In some cases this may be acceptable but I would argue that in nearly all cases of a DMZ it is not and anything larger than a small network should pay attention to internal host to host traffic. Intellectual Property violations and outright data theft can kill a company quick. Is the number still 80% of attacks are internal? If the switches support it, dump the hubs in the DMZ and Internal and use port monitoring. WRT One hub. NO,NO,NO,NO,NO,BAD DOGGY! If you own one box on any segment you can see and get to any other connected segment. Jason. twig les wrote:Actually I just looked at the conceptual placement and thought it made a lot of sense. The hubs are the cheapest way to do this, and if you save $150 while increasing the confusion, then IMHO it's not worth it. --- Jack Lyons <jack.lyons () martinagency com> wrote:I would like to get people's view points on using 1 hub for all three locations. As long as the IP addressing scheme are different, it shouldn't matter correct? Also, you can buy 4 port hubs for under $100...doesn't seem to expensive.[snip old stuff]
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort Implementation Guide - ACID-MySQL-Redhat7 .2 Jack Lyons (Jul 23)
- Re: Snort Implementation Guide - ACID-MySQL-Redhat7.2 Jason (Jul 23)