[Snort-users] Snort in a H.A. environment.

Federico Lombardo egopfe at ...125...
Mon Jan 20 02:37:19 EST 2003


Ok, but my firewall are very strong machines.

BTW the solution of creating an IDS-Transport-Network (private adressing)
between router and firewall is good.




----- Original Message -----
From: "Patrice Boulanger" <pboulanger at ...7942...>
To: "Federico Lombardo" <egopfe at ...125...>
Sent: Monday, January 20, 2003 11:09 AM
Subject: RE: [Snort-users] Snort in a H.A. environment.


> I think you should prefer a solution where your snort sensor will sniff in
> front of the firewalls, like this:
>
>
> INTERNET
>     |
>     | Stealth NIC
>     +-------------------+
>     | |
>     | |
> ----------+----------   |
> |   |   |
> |   |   |
>      Fw A Fw B |
> |    LAN   | |
> |---------+---------| |
>     | ------+------
>     | |   Snort   |
>     | -------------
>     | |
>     | Adm. NIC |
>     |-------------------|
>
> (I hope this diagram will be clear enough ;-)
>
> You should have two NICs on your Snort box:
> - one is in stealth mode (no IP address on it) to sniff network traffic
> - another is to send alerts and for administrative purposes (SSH,
Monitoring
> ...)
>
> Thus, your snort box cannot be addressed directly from Internet.
>
> Moreover, you said that you have a very high traffic to monitor ?? It's an
> additionnal good reason to NOT
> overload your firewalls !!!! Network monitoring and detection intrusion
are
> very expensive in term of
> CPU and memory usage. Use a dedicated system ...
>
> Hope it will help you !
>
> Regards,
>
> -----Message d'origine-----
> De : snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]De la part de Federico
> Lombardo
> Envoyé : lundi 20 janvier 2003 10:51
> À : Patrice Boulanger; snort-users at lists.sourceforge.net
> Objet : Re: [Snort-users] Snort in a H.A. environment.
>
>
> And why ?
>
> Is the only way to monitor trpassing traffic in real time.
>
> Using span ports in a switch ?
> I don't think this solution will solve my problems... I've a very high
> traffic MAN.
>
>
>
>
> ----- Original Message -----
> From: "Patrice Boulanger" <pboulanger at ...7942...>
> To: "Federico Lombardo" <egopfe at ...125...>
> Sent: Monday, January 20, 2003 10:28 AM
> Subject: RE: [Snort-users] Snort in a H.A. environment.
>
>
> > Yes it's a stupid problem... I don't think it's a good idea to run snort
> on
> > your firewalls !
> >
> > -----Message d'origine-----
> > De : snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]De la part de Federico
> > Lombardo
> > Envoyé : lundi 20 janvier 2003 10:19
> > À : snort-users at lists.sourceforge.net
> > Objet : [Snort-users] Snort in a H.A. environment.
> >
> >
> > Hi all, I've a stupid problem.
> >
> > I've in a production scenario a checkpoint Firewall-1 Cluster-XL
Firewall
> in
> > Active-StandBy configuration.
> >
> >
> > On the active Node-1 (active) i wanna run snort, and no problems with
> this.
> > The problema I want to solve is:
> >
> > How I can make possible to start snort on the other Node-2 when it
became
> > active, and how to stop snort in Node-1 when it became standby ???
> >
> >
> > Every solution is appreciated.
> >
> >
> > Regards,
> >
> >
> > Federico
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> > are you planning your Web Server Security? Click here to get a FREE
> > Thawte SSL guide and find the answers to all your  SSL security issues.
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list