[Snort-users] Preferrable location?

Abe L. Getchell abegetchell at ...530...
Mon Nov 19 21:28:02 EST 2001

Hi Neil,

To (hopefully) answer your questions:

A) There are many schools of thought on this question.  Try searching
the archives of the SecurityFocus IDS list
(http://www.securityfocus.com/); you'll find many good answers and
opinions there.  I, personally, would put one sensor on the outside of
the firewall and one sensor on the inside of the firewall.  This will
allow you to see what kinds of attacks are launched at your internal
network and perimeter devices but don't necessarily make it past your
firewall, as well as lets you see what successfully slips past your
firewall into your internal network.  If only one sensor is available to
be used, I would place it inside of the firewall.  This way, you are
assured to only see what makes it past your firewall and into your
internal network... The stuff you _really_ have to worry about.

B) Well, it depends what purpose the two NICS are going to serve.  You
could always have two interfaces sniffing two different segments of your
internal network.  More commonly, you would have one interface which is
acting as the sniffing interface and one interface for out-of-band
management.  This is most likely what you're referring too, and seen as
a standard practice in most large IDS implementations.  It's a good
idea, if possible, to segment off the out-of-band management interface
onto it's own protected (preferably physically separate) network.  If an
intruder were too compromise one of these boxes, it's 'game over'.  Not
only can you not trust your forensic data for your own purposes at that
point, but it will never hold up in a court of law.

C) Heh, good question.  I'm sure you'll get many opinions from the folks
here about what OS is the best for Snort. =)  If I remember correctly,
Snort is developed on one of the BSDs.  That makes a strong case for
running Snort on that platform IMHO.  However, I personally use Linux as
my choice for network sensors as it is what I am familiar with and can
most easily manage.  Performs great on Linux and has rock solid
stability with a little work.  I would steer away from implementing it
on the Windows platform, not because the Win32 port isn't of inferior
quality or lacks features, it's a great piece of code, but because of
security issues in the underlying OS... And the recent stance of
Microsoft with full disclosure... And yadda yadda yadda... =)

Hope I helped.


Abe L. Getchell
Security Engineer
abegetchell at ...530...

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Ronneil Camara
> Sent: Monday, November 19, 2001 9:06 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Preferrable location?
> Hi,
> I've got some questions.
> a) Where would be the preferrable location of snort box on a 
> network with firewall (internal, dmz)? Do I need more than 1 snort?
> b) What would be the advantage of having 2 nics on a snort box?
> c) What o.s. is recommended for snort?
> Thanks.
> Neil
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users

More information about the Snort-users mailing list