[Snort-users] Alerts from DMZ
ppetriz at ...3815...
Tue Nov 20 13:09:26 EST 2001
Thank you Erek, it helps me a lot! but let me graph it
to understand it better:
External Net ----- Firewall --------- Internal Net
[H]--(1)-- Snort --(2)--´
[H]Hub in DMZ
(1)Read only cable from hub to stealth nic (IP 0.0.0.0)
(2)Standard cable from 2nd NIC to Internal Net
It looks strange but secure. I think that your comment on
"Make sure your firewall rules don't allow _any_ traffic
to the snort box to pass." it´s unnecessary because for the
FW the Snort box doesn´t exists. It´s that right?
Thank you again Erek.
De: Erek Adams [mailto:erek at ...577...]
Enviado el: martes 20 de noviembre de 2001 13:50
Para: Petriz, Pablo
CC: snort-users at lists.sourceforge.net
Asunto: Re: [Snort-users] Alerts from DMZ
On Tue, 20 Nov 2001, Petriz, Pablo wrote:
> I want to install Snort with a stealth interface to sniff on
> DMZ and i want Snort to send alerts to some NT boxes on the
> Internal Net in a secure (best secure) way.
> I have this instalation:
> External Net ----- Firewall ------- Internal Net
> |- Snort
> The FW allows some traffic btw ExtNet<->DMZ, some
> from IntNet->DMZ and blocks btw ExtNet<->IntNet.
Add a second NIC card on the snort box. Connect 2nd NIC to the internal net
with an IP. Make sure your firewall rules don't allow _any_ traffic to the
snort box to pass. Build a read only cable and place that cable on your
stealth interface. Now, your box will be happy, you can connect to it from
inside your net, but no other way.
Hope that helps!
More information about the Snort-users