[Snort-users] RE: Network placement / using a VLAN

JP Vossen vossenjp at ...8683...
Mon Apr 7 15:13:04 EDT 2003

On Mon, 7 Apr 2003 snort-users-request at lists.sourceforge.net wrote:

> Message: 2
> Date: Mon, 07 Apr 2003 15:03:59 -0500
> To: snort-users at lists.sourceforge.net
> From: Brian McIntyre <bmcintyre at ...8812...>
> Subject: [Snort-users] Network placement / using a VLAN


> Question 2) I would also like to monitor my DMZ.  How secure would it be to
> add a VLAN on my switch to connect my DMZ hosts on the same switch as my
> local subnet?  While physically they reside on the same switch, they will
> be on seperate VLANs.  Can I be certain I'm not introducing a *serious*
> security risk to my internal network?  This might be a much better question
> to ask my switch vendor, and please shot me if I've lost my marbles..

That's a Bad Idea--don't do it!  Always use different physical devices for
networks with different trust levels.  While I have never personally done it,
I have been assured by people who I believe ARE capable of it that VLANs can
be broken.  Besides, do you trust the vendor to make a crashed VLAN/router
"fail safe?"

Low-end hubs/switches are dirt cheap (unless you need HA or managable
stuff--totally depends on your needs and environment), and NICs are cheap too.
You can add an unnumbered interface to your Snort box and plug in to the DMZ.
This would require running a second Snort instance with suitable mods to the
snort.conf file, and enough horsepower on the sensor...  There have been lots
of discussion of this kind of thing in the list archives.

JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-users mailing list