[Snort-users] Where to install Snort

shawn . moyer shawn at ...1184...
Tue Mar 13 22:00:29 EST 2001

Chris Kirby wrote:

> Since I wouldn't want to implement a single point of failure, putting
> in a single Snort box is not really the way to go. Can it be safely
> installed on the firewalls (which are also processing packets) or
> should they be installed on the webservers directly? What is the
> performance hit, if any, like?

On the redundancy question, you can set up multiple Snort boxen for each
redundant segment,  logging to a central database. Check out
http://www.incident.org/snortdb and http://www.cert.org/kb/acid for more
info on db logging.

I'd personally advise against running Snort on the Suncreen boxen or the
web servers unless you have a pretty low traffic network -- say, under 5
Mbps average or so. If your traffic is high, it can definitely pound
your proc pretty hard. It's also cleaner to have logical separation of
services / boxes.

As far as where to set Snort itself up, this is a pretty big
philosophical question, actually. The short answer is: it depends. :) 

If you want to collect a lot of data, and see every attack your network
is being hit with, whether it's relevant to your configuration or not,
then set Snort up outside the perimeter, i.e. on a span port on the
switches outside of you firewalls. This kind of  setup means not all of
your alerts will be of the "oh shit!" variety, and requires a little
more expertise to sift through for the relevant stuff. This can be
useful in educating management about the volume of attack attempts you
get and helps to justify a security budget. :)

If you want a very focused IDS, setup Snort behind the firewall, with a
more stripped down ruleset that applies to your particular services.
This will generate a lot less information, but the alerts you do get
should generally be more valid (i.e. "bona fide" attack attempts or
anomalous traffic). 

In my mind, the ideal setup is to have both, but if you gotta pick one,
the general consensus is to set up your IDS on the inside.



s h a w n   m o y e r
shawn at ...1184...

The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

					-- Zelazny

More information about the Snort-users mailing list