Fw: Snort Sensor Placement Outside Firewall

["Tom Sevy" <tsevy () epx com>]

Put it on the outside for testing -- you should get more data than on the
inside.  Then decide after the testing about where to position it as Erek
said.

On Wed, 25 Jun 2003, Michael Steele wrote:

> You forgot to mention the time that may be involved in sorting through the
> massive amount of data with a sensor on the outside.

More like "didn't mention" vs. "forgot".  Usually unless someone is just
feeling masochistic, the information overload from outside the firewall is
usually changed/toned down ASAP.

> What could be some of the possibilities that make that scenario a possible
> solution, when the IDS could or should in most cases be placed on the near
> side of the firewall?

http://www.theadamsfamily.net/~erek/snort/ids_placement.txt

That one has been beaten to death so many times it's not even funny.  You
can place it before or after the FW, but I think that's a choice that has
to be made after testing.  I don't think there is a hard and fast answer
to 'where?'.  You're going to almost always have to test/retest to check
out how it works and how you want to handle it.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users