[Snort-users] Snort Implementation Guide - ACID-MySQL-Redhat7 .2

Jack Lyons jack.lyons at ...6422...
Tue Jul 23 12:13:14 EDT 2002


I agree about the SPOF statement.

When you say

> If the switches support it, dump the hubs in the DMZ and Internal and
> use port monitoring.

That makes sense but I think that you could almost make an argument to get
rid of the switches.  
- they are more complex to maintain
- they are more expensive
- the dedicated bandwidth and full duplex to the machine maynot be an
issue....usually the bottleneck will be the connection to the internet or
the firewall.

WRT one hub....what about a L2 switch with 3 seperate VLANs.  Depending on
the switch you can span a port for each vlan and point it at the IDS
sensor...you would have to be careful about oversubscribing the port
connected to the IDS Sensor



> -----Original Message-----
> From: Jason [mailto:jason at ...5028...]
> Sent: Tuesday, July 23, 2002 2:29 PM
> To: twig les
> Cc: Jack Lyons; 'Iñaki_Martínez'; Steve Scott;
> snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort Implementation Guide -
> ACID-MySQL-Redhat7 .2
> 
> 
> I think that the hubs can be a liability for a couple of reasons.
> 
> 1) Additional SPOFs. But if you only have a hub and can't get funding
> then a little downtime to the cloud is likely acceptable on failure.
> 
> 2) You will definitely miss any host to host traffic that 
> does not cross
> a boundary. In some cases this may be acceptable but I would 
> argue that
> in nearly all cases of a DMZ it is not and anything larger 
> than a small
> network should pay attention to internal host to host traffic.
> Intellectual Property violations and outright data theft can kill a
> company quick. Is the number still 80% of attacks are internal?
> 
> If the switches support it, dump the hubs in the DMZ and Internal and
> use port monitoring.
> 
> WRT One hub. NO,NO,NO,NO,NO,BAD DOGGY!
> If you own one box on any segment you can see and get to any other
> connected segment.
> 
> Jason.
> 
> twig les wrote:
> > 
> > Actually I just looked at the conceptual placement and
> > thought it made a lot of sense.  The hubs are the
> > cheapest way to do this, and if you save $150 while
> > increasing the confusion, then IMHO it's not worth it.
> > 
> > 
> > --- Jack Lyons <jack.lyons at ...6422...> wrote:
> > > I would like to get people's view points on using 1
> > > hub for all three
> > > locations.
> > >
> > > As long as the IP addressing scheme are different,
> > > it shouldn't matter
> > > correct?
> > >
> > > Also, you can buy 4 port hubs for under
> > > $100...doesn't seem to expensive.
> > >
> [snip old stuff]
> 




More information about the Snort-users mailing list