[Snort-users] Alerts from DMZ

Abe L. Getchell abegetchell at ...530...
Tue Nov 20 20:52:03 EST 2001


>  External Net ----- Firewall --------- Internal Net
>                        |                      |
>                       [H]--(1)-- Snort --(2)--´
>                        |
>                       DMZ


> Well, the more you deal with security, the more paranoid you 
> become.  :) IMHO, I want all the levels of protection that I 
> can have.

More paranoid?!  No I'm not, and yes, they're all out to get me. =)  I
personally would take this one step further because I'm a masochist and
enjoy implementing systems which are more secure rather than usable.
Only if myself and the other security guys I work with will be touching
them that is; can't inflict too much stress on the end user. =)

External net-----Firewall---------Internal Net
                   Tap-----Snort-----Hub (Management Network)
                    |                 |
                   DMZ            Management

The above design has the benefit of having the management network
physically separate from the internal network, and the management
workstation hanging off of the management network with no physical link
to the internal network.  Hence, there's no way to access the management
interface on the Snort box without physically being at, and having
console access too, the management workstation.  This design, used in
combination with read-only sniffing cables, network taps (both the
Shomiti or NetOptics which data can't be sent _out_ of), and host based
security mechanisms (NetFilter, SSH, Tripwire, etc.) makes me feel
pretty sure that the sensor is secured from network based access other
than that from the management network.  Now all you have to do is setup
bear traps around the management workstation. =)

This design also has the added bonus of being able to work well in
environments with multiple sensors.  With every sensor you implement,
simply plug the management interface into the management network.  For

External net-----Firewall------------Tap-----Internal Net
                    |                 |
                    |               Snort
                    |                 |
                   Tap-----Snort-----Hub (Management Network)
                    |                 |
                   DMZ            Management

Presto, you have yourself a single point (the management workstation)
for secure management access (over the physically separate management
network) to all of your sensors.  This example does not take physical
limitations into consideration.  These, however, can be overcome with a
whole lotta money and a bunch of strands of fiber. =D


Abe L. Getchell
Security Engineer
abegetchell at ...530...

More information about the Snort-users mailing list