[Snort-users] Policy routing?

Nicholas Brawn nickbrawn at ...408...
Thu Sep 14 01:34:34 EDT 2000


I've been informed of a wonderful technology called policy routing. This is
what I understand it to be:

Internet <--> external router <--> switch for external network
                         ^
		 |
		 + <--> IDS system

Say I wanted to monitor all traffic destined for my external mail server, I
setup policy routing to route all traffic destined to the mail server through
the IDS system. The IDS system then has a chance to inspect the data before
routing back to the external router, which then sends the data on to the
destination.

The obvious advantages of this are minimising the load involved with
spanning/mirroring a port, and minimising the load on the IDS system so that
it doesn't need to search through *all* data, only that destined to the mail
server.

This is what I understand it to be, if I'm in error, someone please point it
out.

My questions are:
1) What vendors support policy routing in their equipment (ie, is it
cisco-specific, etc).
2) Assuming I setup policy routing accordingly on the router, what would need
to be done on the Unix side of things to ensure traffic gets to where it needs
to go? 
3) Is there a potentially simpler way of achieving this?
4) Has anyone tried this before and can report on any success/problems they
experienced?

Cheers,
Nick

-- 
Secure email preferred. PGP key available on request.
Phone: +61 9025 7571 || Email: nickbrawn at ...408...



More information about the Snort-users mailing list