[Snort-users] Alerts from DMZ
erek at ...577...
Tue Nov 20 18:33:03 EST 2001
On Tue, 20 Nov 2001, Petriz, Pablo wrote:
> Thank you Erek, it helps me a lot! but let me graph it
> to understand it better:
> External Net ----- Firewall --------- Internal Net
> | |
> [H]--(1)-- Snort --(2)--�
> [H]Hub in DMZ
> (1)Read only cable from hub to stealth nic (IP 0.0.0.0)
> (2)Standard cable from 2nd NIC to Internal Net
That's it! This is a nice handy-dandy secure setup that works well in many
networks, even large ones.
> It looks strange but secure. I think that your comment on
> "Make sure your firewall rules don't allow _any_ traffic
> to the snort box to pass." it�s unnecessary because for the
> FW the Snort box doesn�t exists. It�s that right?
Well, the more you deal with security, the more paranoid you become. :)
IMHO, I want all the levels of protection that I can have. In some cases, the
second NIC has IPF running on it to prevent anyone on the internal net (except
for the 'main management station'). A little paranoia is a healthy thing to
have... :) As for the firewall rules, that's personal opinion. I usually
tend to have explicit deny's for any traffic to the sensor on any IP. *shrug*
It might be overkill, but I don't mind the extra security.
Good luck and Happy Snorting!
More information about the Snort-users