[Snort-users] Network placement / using a VLAN
bmcintyre at ...8812...
Mon Apr 7 13:05:07 EDT 2003
Time to actually ask a question of my own. I've recently put a Snort
system in place on my network and I have a couple of questions.
First of all, a little on my current set up:
Local traffic on a single subnet is going into a single switch that allows
port mirroring into a port. I have hosts on 10/100 with a single 1000 port
that I've added only a couple of mirrored interfaces to. A speedy Snort
sensor is in place with a gig card to listen to the traffic and forward
alerts to an ACID/MySQL console. I'm happy to say that Snort is working as
Question 1) Since my two mirrored ports are my WAN interface, and my
trusted interface on my firewall, is it really necessary to consider adding
additional hosts to the mirrored port? If all I'm really concerned about
monitoring is incoming and outgoing traffic through those two gateway
interfaces isn't that sufficient?
Question 2) I would also like to monitor my DMZ. How secure would it be to
add a VLAN on my switch to connect my DMZ hosts on the same switch as my
local subnet? While physically they reside on the same switch, they will
be on seperate VLANs. Can I be certain I'm not introducing a *serious*
security risk to my internal network? This might be a much better question
to ask my switch vendor, and please shot me if I've lost my marbles..
Anyone willing to respond directly will be welcomed. Thanks!
More information about the Snort-users