Snort mailing list archives
Re: IDS and Firewall
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 28 Apr 2004 21:45:44 -0400
At 09:20 AM 4/28/2004, Kernel The Canine wrote:
Im talking from Security point of view which is better 1) to run it on a separate machine 2) or on the same Firewall machine
From a security point of view, definitely on the separate box. Preferably using a network tap out front for sensing and having a second management interface in a DMZ somewhere.
If you've got the resources, you're always better off in terms of security by isolating systems from each other. Think about the concepts behind having a DMZ. Heck, If we all had infinite firewall ports with infinite bandwidth available, we'd be firewalling every computer in our networks from each other. It would make good sense from a security standpoint, but would be rather expensive.
Even Paul Shaffer, who spoke out about me being overly strong in my warnings, appears to agree that running snort and a firewall on the same box is a compromise for cost reasons.
Personally, I'm of the opinion it's not worth considering at all, even in a cost crunch, but that's an opinion based on my own network designs and threat models. There are others (ie: Paul) who feel it's better to make the compromise in order to gain the benefits of having an IDS on hand. (and having an IDS does help teach you patterns of attack, which in turn helps you strengthen your firewall, so I will agree that Paul's opinion has a lot of validity, it's just not my opinion).
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS and Firewall Kernel The Canine (Apr 28)
- Re: IDS and Firewall Ravi (Apr 28)
- Re: IDS and Firewall Marcin Laskowski (Apr 28)
- Re: IDS and Firewall Alejandro Flores (Apr 28)
- Re: IDS and Firewall Kernel The Canine (Apr 28)
- Re: IDS and Firewall Matt Kettler (Apr 28)
- Re: IDS and Firewall Alejandro Flores (Apr 28)
- RE: IDS and Firewall Jim Hendrick (Apr 28)
- Re: IDS and Firewall Matt Kettler (Apr 28)
- <Possible follow-ups>
- RE: IDS and Firewall Shaffer, Paul D (Apr 28)
- Re: IDS and Firewall James Riden (Apr 28)
- RE: IDS and Firewall Shaffer, Paul D (Apr 29)
- Message not available
- RE: IDS and Firewall Matt Kettler (Apr 29)
- Snort Rule Downloading - No Updates Since 4/15? Snortty (Apr 30)
- Message not available