[Snort-users] Network placement / using a VLAN

Erek Adams erek at ...950...
Tue Apr 8 07:44:05 EDT 2003


On Mon, 7 Apr 2003, Brian McIntyre wrote:

> Local traffic on a single subnet is going into a single switch that allows
> port mirroring into a port.  I have hosts on 10/100 with a single 1000 port
> that I've added only a couple of mirrored interfaces to.  A speedy Snort
> sensor is in place with a gig card to listen to the traffic and forward
> alerts to an ACID/MySQL console.  I'm happy to say that Snort is working as
> expected.

Good.  :)

> Question 1) Since my two mirrored ports are my WAN interface, and my
> trusted interface on my firewall, is it really necessary to consider adding
> additional hosts to the mirrored port?  If all I'm really concerned about
> monitoring is incoming and outgoing traffic through those two gateway
> interfaces isn't that sufficient?

I'm not sure if I'm following what you mean here, so please correct me if
I'm wrong.  You have two uplink (WAN) interfaces that are mirrored to port
X.  You are asking should you add LAN host ports to the mirror to sniff
the traffic going to/from those hosts.  If you're not worried about what's
'inside' of your network, then there's no need to.

> Question 2) I would also like to monitor my DMZ.  How secure would it be to
> add a VLAN on my switch to connect my DMZ hosts on the same switch as my
> local subnet?  While physically they reside on the same switch, they will
> be on seperate VLANs.  Can I be certain I'm not introducing a *serious*
> security risk to my internal network?  This might be a much better question
> to ask my switch vendor, and please shot me if I've lost my marbles..

You could do it, but it's not a perfect solution.  You can 'hop' from one
VLAN to another with a specially crafted packet [0].  If you're _really_
worried about segregation of traffic, then I'd suggest using two separate
pieces of hardware.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html
(URL may wrap)





More information about the Snort-users mailing list