Re: Snort Deployment Configurations

[Bamm Visscher <bamm.visscher () gmail com>]

I most definitely deploy multiple sensors in various locations running
different rulesets (and potentially gathering different data types). I
expect most successful NSM deployments do the same. When deploying
sensors, the best advice I can give is put as much  (more?) focus on
the perceived threat as you do on your infrastructure. Don't fall into
the infrastructure security stigma (i.e "IDS goes w/the FW". "IDS
monitoring to meet compliance requirements of critical assets", etc).
Instead, first look at the threats you face and how those actors may
exploit weaknesses within your infrastructure to gain access to the
data they desire. Then determine which locations on your network best
leverage your ability to detect and respond to incidents from these
actors.

Most of the time, this process will lead to the deployment of many
(smaller) sensors versus one sensor to rule them all. I expect dollars
and perceived simplicity drive the "one sensor" mentality, but in my
experience, it's at the cost of reduced ability to detect and respond
to security incidents.

Bamm


On Thu, Feb 3, 2011 at 7:31 PM, Michael Lubinski
<michael.lubinski () gmail com> wrote:
> I find myself thinking more and more in the realm of NSM and Snort. I have
> been running different theoretical deployment situations in my head on how /
> where I would deploy a snort sensor. I thought "Why don't I just ask the
> people that work with it everyday." I would imagine running Snort on the
> outside of your network would net a different set of rules being active as
> would a Snort sensor running internally.
> Does anyone run Snort in multiple locations with varied purposes like this
> example?
> Before I started to really dig into snort I always thought of it as a inline
> gateway monitor / filter between you and the world, but the more I learn
> that it can be much more universal depending on the rules included.
> What other considerations might someone new to snort such as myself overlook
> at first thought?
>
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users