Re: Snort Deployment Suggestions

["Josh Berry" <josh.berry () netschematics com>]

The way my company monitors multiple subnets (not as many as you, around
15) is with a combination of systems.  We use TopLayers IDS Balancer to
aggregate data from our asymetrical routed data center.  Then we feed
everything into a Crossbeam C30 appliance.  Crossbeam makes general
purpose hardened security appliances.  We are running 10 instances of
Snort and the box still runs great.  The box has 2 Gigabit ports and about
16 10/100.

Josh


> Greetings,
>
> I have a need for some experienced feedback/wisdom on Snort deployment.
> I have a large network (50 subnets) that we want to monitor for
> Intrusion Detection.
>
> Initally my plan was to include 3-4 Snort boxes in various strategic
> locations, such as the Backbone, behind the firewall of our core
> servers, and a couple admin specific networks, recording alerts/events
> to a local MySQL server Database, and having a batch script copying
> those various MySQL databases into a single Oracle repository for
> analysis.
>
> After discussion of my plan with management, it was suggested that we
> monitor all 50 subnets for Intrusion attempts. The only cost effective
> way I could think to do this was to have multiple servers with 2-4
> multiport NICs and setup Snort to monitor each individual subnet. I
> would have one server as a MySQL database server, have each
> multiport/MultiNIC machine report back to a local MySQL database, and as
> before, have all of these MySQL Databases write back to a single Oracle
> Repository.
>
> Snort Stack
> +-----------------------+
> |  MySQL Server  |
> +-----------------------+
> +-----------------------+
> |  Snort #1           |
> +-----------------------+
> +-----------------------+
> |  Snort #2           |
> +-----------------------+
> +-----------------------+
> |  Snort #3           |
> +-----------------------+
> +-----------------------+
> |  Snort #4           |
> +-----------------------+
>
> Snort #1-4 being boxes that contain 2-4 Multiport NICs, and saving all
> their alerts up to the MySQL server.
>
> This configuration will be located in 3 locations on campus, and have
> each of the three MySQL databases batch copy the records over to an
> oracle database for analysis.
>
> What advice could any of you offer for my situation? What books have you
> found to good and useful? Has anyone attempted to use multiport NICs to
> monitor multiple Networks?
>
> Any advice you can provide would be greatly appreciated! :D And, if I
> get this configuration to work, I'd be happy to document it and share
> the results.
>
> Thanks,
> Tom
>
> *********************************************************
> * Tom Riley                    tom.riley () uaa alaska edu *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************
>
>
> *********************************************************
> * Tom Riley                    tom.riley () uaa alaska edu *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users