[Snort-users] Snort Implementation Guide - ACID-MySQL-Redhat7.2

Jason security at ...5028...
Tue Jul 23 12:45:06 EDT 2002


Had to change the from, other posts are awaiting moderator approval.
Inline...
( It's odd having a conversation before it hits list. )

Jack Lyons wrote:
> 
> I agree about the SPOF statement.
> 
> When you say
> 
> > If the switches support it, dump the hubs in the DMZ and Internal and
> > use port monitoring.
> 
> That makes sense but I think that you could almost make an argument to get
> rid of the switches.
> - they are more complex to maintain
> - they are more expensive
> - the dedicated bandwidth and full duplex to the machine maynot be an
> issue....usually the bottleneck will be the connection to the internet or
> the firewall.

This is really a grey area IMHO. 
On small networks and segments possibly but then there is no switch to
begin with and you just plug into the existing hub. If there are
services provided that handle any kind of traffic or have any need for
performance then a switch will likely be in use. Plug in 10 M$ boxes and
a server on a hub in your typical small business and all kinds of things
go to crap, not having funds for better usually makes it a live with
decision, until it kills productivity.

For a DMZ and external pipes it's really a measure of utilization and
value. If the pipe is only for email sure a hub is fine in most cases.
Then you could just plug it directly into the firewall with a crossover
and let the external sensor cover it with a decently tuned set of rules.
Anything beyond that or mission critical and it really requires more
information.

> 
> WRT one hub....what about a L2 switch with 3 seperate VLANs.  Depending on
> the switch you can span a port for each vlan and point it at the IDS
> sensor...you would have to be careful about oversubscribing the port
> connected to the IDS Sensor

Ahh, raises the bar but it is not impossible to circumvent a VLAN. There
are some pretty good papers about this on the net, ultimately it comes
down to VLANs were designed to limit broadcast traffic not for security.
It certainly is an option but I would recommend against it if possible.
You would be mixing traffic from differing zones which is generally a
Bad Thing.

Regards,
Jason

> 
> > -----Original Message-----
> > From: Jason [mailto:jason at ...5028...]
> > Sent: Tuesday, July 23, 2002 2:29 PM
> > To: twig les
> > Cc: Jack Lyons; 'Iñaki_Martínez'; Steve Scott;
> > snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Snort Implementation Guide -
> > ACID-MySQL-Redhat7 .2
> >
> >
> > I think that the hubs can be a liability for a couple of reasons.
> >
> > 1) Additional SPOFs. But if you only have a hub and can't get funding
> > then a little downtime to the cloud is likely acceptable on failure.
> >
> > 2) You will definitely miss any host to host traffic that
> > does not cross
> > a boundary. In some cases this may be acceptable but I would
> > argue that
> > in nearly all cases of a DMZ it is not and anything larger
> > than a small
> > network should pay attention to internal host to host traffic.
> > Intellectual Property violations and outright data theft can kill a
> > company quick. Is the number still 80% of attacks are internal?
> >
> > If the switches support it, dump the hubs in the DMZ and Internal and
> > use port monitoring.
> >
> > WRT One hub. NO,NO,NO,NO,NO,BAD DOGGY!
> > If you own one box on any segment you can see and get to any other
> > connected segment.
> >
> > Jason.
> >
> > twig les wrote:
> > >
> > > Actually I just looked at the conceptual placement and
> > > thought it made a lot of sense.  The hubs are the
> > > cheapest way to do this, and if you save $150 while
> > > increasing the confusion, then IMHO it's not worth it.
> > >
> > >
> > > --- Jack Lyons <jack.lyons at ...6422...> wrote:
> > > > I would like to get people's view points on using 1
> > > > hub for all three
> > > > locations.
> > > >
> > > > As long as the IP addressing scheme are different,
> > > > it shouldn't matter
> > > > correct?
> > > >
> > > > Also, you can buy 4 port hubs for under
> > > > $100...doesn't seem to expensive.
> > > >
> > [snip old stuff]
> >
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
#!/usr/local/bin/perl
  print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);




More information about the Snort-users mailing list