[Snort-users] Network placement / using a VLAN

Brian McIntyre bmcintyre at ...8812...
Mon Apr 7 13:05:07 EDT 2003


Time to actually ask a question of my own.  I've recently put a Snort 
system in place on my network and I have a couple of questions.

First of all, a little on my current set up:

Local traffic on a single subnet is going into a single switch that allows 
port mirroring into a port.  I have hosts on 10/100 with a single 1000 port 
that I've added only a couple of mirrored interfaces to.  A speedy Snort 
sensor is in place with a gig card to listen to the traffic and forward 
alerts to an ACID/MySQL console.  I'm happy to say that Snort is working as 
expected.

Question 1) Since my two mirrored ports are my WAN interface, and my 
trusted interface on my firewall, is it really necessary to consider adding 
additional hosts to the mirrored port?  If all I'm really concerned about 
monitoring is incoming and outgoing traffic through those two gateway 
interfaces isn't that sufficient?

Question 2) I would also like to monitor my DMZ.  How secure would it be to 
add a VLAN on my switch to connect my DMZ hosts on the same switch as my 
local subnet?  While physically they reside on the same switch, they will 
be on seperate VLANs.  Can I be certain I'm not introducing a *serious* 
security risk to my internal network?  This might be a much better question 
to ask my switch vendor, and please shot me if I've lost my marbles..

Anyone willing to respond directly will be welcomed.  Thanks!

Brian





More information about the Snort-users mailing list