[Snort-users] Snort and Firewalls
gbinder at ...462...
Mon Oct 16 06:38:30 EDT 2000
David Harris on Sun, Oct 15, 2000 at 03:28:13PM -0400:
> I have never heard of anyone running snort on their firewall itself...
> Is there a reason for this besides fear of performance hits on the firewall?
I think it is preferrable to run your IDS on a system that is not
providing any function to other systems. It is much less likely that
it will be found and attacked, so you always have a second opinion in
case something happens.
> This is what I do on my network... I have my gateway setup using iptables
> my firewall and I have snort(with the Acid frontend) listening on my inside
> interface... This way I can
> have one sensor that sees all the traffic that gets though the firewall
> (which is what I am worried about mostly anyway) Is there something
> bad/wrong about doing this I should know?
Obviously you will never detect attacks that were directed against
your firewall and maybe even successful. You do get a low number of
false-positives (in the sense of unsuccessful attacks), but I would
rather sniff on both sides and select the rules I want to know about
by filtering the logs. Or compare the logs of both interfaces.
If I had to sniff on the firewall, I would definitely write my logs
Gregor Binder <gbinder at ...462...> http://www.sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
More information about the Snort-users