[Snort-users] Using snort on a switched network

Erik Fichtner emf at ...367...
Sun Jan 6 11:13:02 EST 2002

Hash: SHA1

On Sun, Jan 06, 2002 at 11:21:37AM -0700, Linux Boy wrote:
>       One quick question.  How does snort do NID on a switched network?  Is 
> it less productive on a switched network?  The reason is is that I am on a 
> switched network and would like to use snort.  However, my whole network is 
> behind our firewall and many people suggested not to run snort on the same 
> machine as the firewall.  So if I run snort on another machine outside the 
> firewall, but on the same network as the firewall (also switched), will 
> snort detect port scans, etc. directed towards my firewall and machines 
> behind it?  If so, how does it work?  Thanks in advance.

This should be a FAQ.

There's several ways you can do this.  

1) You can run snort on the firewall.    This is a reasonable way to 
do things if you have distributed firewalls, or you have a centralized 
firewall that is way overpowered for the amount of network traffic you
pass.   (If you're running a nice P3 machine, you won't have to worry 
about it unless you're passing about 20-30Mbit/sec of traffic, and then
you probably have a budget that allows for something better.)

The reason people tell you not to do this is more because it adds a 
potential vector for compromise of the firewall should bugs in Snort
be discovered, and less because of a performance issue.

2) If you have a midrange/high-end managed switch, you undoubtably have
a feature called a "mirror port" or a "span port".  RTFM.  This allows 
you to duplicate all traffic seen on a vlan into one port for IDS purposes.

3) You can buy a cheap hub and plug it in between your uplink and your
core switch.  Given that your LAN is probably 100Mbit (no one runs 10mbit
switches anymore, right?) and your uplink to the world via the firewall
is undoubtably less than 100Mbit; your uplink is *already* a bottleneck.
You won't notice the hub.  (do make sure you force the switch uplink
port to half duplex, or you'll spend hours tracking down weird network
issues).    Then plug your IDS into the hub.   A couple of switches, hubs,
spanning-tree,  and (dual port nic+two instances of snort | two snort boxes)
can solve your single point of failure problem. 

4) You can buy a passive inline tap. search the web.   These are 
nifty devices, but they do screw your flows up and only allow you to see
one direction of traffic.   Not reccomended unless you have a magic box
that can reassemble the flows on the back side of the taps and distribute
them to your NIDS machines properly (like a TopLayer AppSwitch)  

5) You can run snort everywhere you can, on every host, everywhere, and
use centralized logging (syslog, snortdb, whatever) to collect data.
This is a management hassle, but it also lets you fine tune each host
fairly well.   YMMV.    You should have centralized logging *anyway*.

- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list