[Snort-users] Where to install Snort

Fyodor fygrave at ...121...
Wed Mar 14 19:15:04 EST 2001

On Tue, Mar 13, 2001 at 09:01:27PM -0500, Chris Kirby wrote:
> Looks like Snort is a great package and I'd like to install it on our production system but have a question about where to place it.
> Our Internet connection connects to the public interface on our high availability SunScreen EFS firewalls, the DMZ interface on the firewalls then connect to high availability F5 BigIP load balancers, which then connect to the subnet that contains our webserver farm. 
> Since I wouldn't want to implement a single point of failure, putting in a single Snort box is not really the way to go. Can it be safely installed on the firewalls (which are also processing packets) or should they be installed on the webservers directly? What is the performance hit, if any, like?
> Any info I can get would be great.

I'd actually install snort on the link behind the firewall and just infront of your webserver. (or one of the webservers, if they share the same network media), installing on extrenal interface of firewall would probably give you too much skript-kiddie noise.

More information about the Snort-users mailing list