Re: Snort Placement

[Paul Halliday <paul.halliday () gmail com>]

On 10 Oct 2004 15:34:49 +0200, Jose Maria Lopez <jkerouac () bgsec com> wrote:
> El sáb, 09 de 10 de 2004 a las 21:48, Paul Ryan escribió:
> > I was hoping to get input on the best placement of my snort box.
> >
> > This box is to be used to track traffic to the Internet from my corporate
> > LAN. The traffic traverses a PIX before hitting the Internet, subsequently
> > all outside destined traffic is NAT'd to one public IP.
> >
> > If I place on the outside of the firewall - all source IP's are the NAT,
> > which is useless is tracking offenders on my LAN.
> > Placing it before the PIX - brings up some challeges ...

How so? your pix must at some point be plugged into a switch or a
router. If it is a managed switch try a span port, if it is not tap
the line. Taps are really overpriced so just find yourself a nice
managed switch and intercept the line.  You can easilly watch all of
your internal traffic from the management port on the switch.

> > The PIX has a Inside, DMZ and Outside interface.
> >
> > What do u think ?
> >
> > Regards,
> >
> > paul
>
> If you really want to track the offenders in your LAN you need to place
> the snort sensor inside the firewall, but I would also put another
> sensor outside the firewall. This is my favorite configuration, because
> you have a sensor outside the firewall that can see all the attacks to
> your LAN and an inner one that only sees what's been let in by the
> firewall. The inner one it's the most important because it's telling
> you what attacks are bypassing the firewall, and the outer one can
> give you a good view of all the attacks you are having.
>
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac () bgsec com
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
>
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users


-- 
_________________
Paul Halliday
http://dp.penix.org

"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users