Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort install

From: Tony Robinson <trobinson () sourcefire com>
Date: Tue, 3 Jul 2012 14:44:33 -0400
I'm not Joel,

but best practices for most security devices/appliances usually include
ports that perform the security functions, and handle service traffic, and
a port that is used for administrative/management functions. For example,
most firewalls have a management port for configuring the appliance out of
band (e.g. dialing into it) or from the protected internal network. This is
to prevent access to unauthorized users and to ensure that service traffic
is separated from administrative traffic in the event of interface failure.
So more or less its done for both device security and redundancy purposes.

The same concepts apply to Snort. Snort, regardless of whether or not it is
deployed inline (IPS) or passively (IDS), is designed to have a network
interface (or interfaces) dedicated just inspecting network traffic, not
responding to it and therefore is very hard to detect by both authorized
and unauthorized users. By configuring snort to sniff traffic on the same
interface you intend to manage it from, you open of the possibility of your
device being discovered by unauthorized users, and resulting in said users
attempting to exploit the system or circumvent it. A properly designed
snort system is nearly undetectable, provided the management interface is
separate and properly secured. The sniffing interfaces are meant to be very
hard to detect.

The other side of this is, if you configured your IPS to be managed from
its sniffing interface, you run into the possibility of being unable to
remotely manage it if it gets too busy or there is too much traffic going
to the sensing interfaces. There exists the possibility that the interface
may end up so busy that the OS kernel drops your management traffic, making
the system unable to be managed remotely. (Not to mention the possibility
of locking yourself out of the system by deploying a rule that may end up
dropping your management traffic.)

So to summarize, we recommend a separate management interface to prevent
detection of IDS/IPS controls on your network, and also to serve as
dedicated remote management in the event the sniffing interface(s) become
overloaded and unable to process your management traffic. Hope this helps
in your understanding.

-Tony

On Tue, Jul 3, 2012 at 10:48 AM, Pratik Narang <pratik.cse.bits () gmail com>wrote:


Thanks a lot for your reply Joel. Can you elaborate the reasons for your
preference, and the effects that might be there if I choose to *not* go
with it? effects on Snort's accuracy? performance/speed? scalability issues
at higher bandwidths?


On Tue, Jul 3, 2012 at 7:51 PM, Joel Esler <jesler () sourcefire com> wrote:


You can do that, and many do.  I suggest at least having two NICs
however.  One for capture and one for management.



On Mon, Jul 2, 2012 at 1:29 AM, Pratik Narang <pratik.cse.bits () gmail com>wrote:


Hi all,

I tried installed Snort using the set up guide available for Ubuntu
10.04 at http://www.snort.org/docs. The network topology suggested has
a IDS/IPS system and a Management Workstation. What difference it will make
to my approach of using Snort if I *do not *have a separate a
Management Workstation and just use one system for both purposes? What
things will differ in snort.conf, in banyard2.conf, in
/etc/network/interfaces
 from the usual set up guide?

Thanks.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire






------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 

 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: