Snort mailing list archives
Re: Snort install
From: Tony Robinson <trobinson () sourcefire com>
Date: Tue, 3 Jul 2012 14:44:33 -0400
I'm not Joel, but best practices for most security devices/appliances usually include ports that perform the security functions, and handle service traffic, and a port that is used for administrative/management functions. For example, most firewalls have a management port for configuring the appliance out of band (e.g. dialing into it) or from the protected internal network. This is to prevent access to unauthorized users and to ensure that service traffic is separated from administrative traffic in the event of interface failure. So more or less its done for both device security and redundancy purposes. The same concepts apply to Snort. Snort, regardless of whether or not it is deployed inline (IPS) or passively (IDS), is designed to have a network interface (or interfaces) dedicated just inspecting network traffic, not responding to it and therefore is very hard to detect by both authorized and unauthorized users. By configuring snort to sniff traffic on the same interface you intend to manage it from, you open of the possibility of your device being discovered by unauthorized users, and resulting in said users attempting to exploit the system or circumvent it. A properly designed snort system is nearly undetectable, provided the management interface is separate and properly secured. The sniffing interfaces are meant to be very hard to detect. The other side of this is, if you configured your IPS to be managed from its sniffing interface, you run into the possibility of being unable to remotely manage it if it gets too busy or there is too much traffic going to the sensing interfaces. There exists the possibility that the interface may end up so busy that the OS kernel drops your management traffic, making the system unable to be managed remotely. (Not to mention the possibility of locking yourself out of the system by deploying a rule that may end up dropping your management traffic.) So to summarize, we recommend a separate management interface to prevent detection of IDS/IPS controls on your network, and also to serve as dedicated remote management in the event the sniffing interface(s) become overloaded and unable to process your management traffic. Hope this helps in your understanding. -Tony On Tue, Jul 3, 2012 at 10:48 AM, Pratik Narang <pratik.cse.bits () gmail com>wrote:
Thanks a lot for your reply Joel. Can you elaborate the reasons for your preference, and the effects that might be there if I choose to *not* go with it? effects on Snort's accuracy? performance/speed? scalability issues at higher bandwidths? On Tue, Jul 3, 2012 at 7:51 PM, Joel Esler <jesler () sourcefire com> wrote:You can do that, and many do. I suggest at least having two NICs however. One for capture and one for management. On Mon, Jul 2, 2012 at 1:29 AM, Pratik Narang <pratik.cse.bits () gmail com>wrote:Hi all, I tried installed Snort using the set up guide available for Ubuntu 10.04 at http://www.snort.org/docs. The network topology suggested has a IDS/IPS system and a Management Workstation. What difference it will make to my approach of using Snort if I *do not *have a separate a Management Workstation and just use one system for both purposes? What things will differ in snort.conf, in banyard2.conf, in /etc/network/interfaces from the usual set up guide? Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Tony Robinson Security Consultant I SourceFIRE Professional Services Division
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort install Pratik Narang (Jul 01)
- Re: Snort install Joel Esler (Jul 03)
- Re: Snort install Pratik Narang (Jul 03)
- Re: Snort install Tony Robinson (Jul 03)
- Re: Snort install Pratik Narang (Jul 03)
- Re: Snort install Joel Esler (Jul 03)