[Snort-users] Alerts from DMZ

Erek Adams erek at ...577...
Tue Nov 20 18:33:03 EST 2001


On Tue, 20 Nov 2001, Petriz, Pablo wrote:

> Thank you Erek, it helps me a lot! but let me graph it
> to understand it better:
>
>  External Net ----- Firewall --------- Internal Net
>                        |                      |
>                       [H]--(1)-- Snort --(2)--�
>                        |
>                       DMZ
> [H]Hub in DMZ
> (1)Read only cable from hub to stealth nic (IP 0.0.0.0)
> (2)Standard cable from 2nd NIC to Internal Net

That's it!  This is a nice handy-dandy secure setup that works well in many
networks, even large ones.

> It looks strange but secure. I think that your comment on
> "Make sure your firewall rules don't allow _any_ traffic
> to the snort box to pass." it�s unnecessary because for the
> FW the Snort box doesn�t exists. It�s that right?

Well, the more you deal with security, the more paranoid you become.  :)
IMHO, I want all the levels of protection that I can have.  In some cases, the
second NIC has IPF running on it to prevent anyone on the internal net (except
for the 'main management station').  A little paranoia is a healthy thing to
have... :)  As for the firewall rules, that's personal opinion.  I usually
tend to have explicit deny's for any traffic to the sensor on any IP.  *shrug*
It might be overkill, but I don't mind the extra security.

Good luck and Happy Snorting!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list