[Snort-users] Snort in a H.A. environment.

Saad Kadhi saad at ...4401...
Mon Jan 20 02:54:05 EST 2003


On Mon, Jan 20, 2003 at 10:50:37AM +0100, Federico Lombardo wrote:
> And why ?
> 
> Is the only way to monitor trpassing traffic in real time.
no. that's false. 

example: node1 is active. a cracker(tm) has started an intrusion attempt
on your webserver. the traffic is permitted by  the  firewall  on  node1
(handshake completed along the rules). snort has not identified yet  the
session as an intrusion because the cracker may be  using  some  evasion
technique or attack patterns are still missing. node1 fails. node2 takes
over (this takes a few seconds if not more). it starts the firewall  and
snort processes. you are using state  synchronisation,  so  the  cracker
session will be allowed to proceed. snort on node2 didn't see the  first
session packets so the pattern is incomplete  to  identify  this  as  an
intrusion attempt. and during takeover, maybe the cracker launched other
attempts as well. ok these won't get necessarily get  thru  but  it  may
indicate a global pattern that will help you see  what  the  cracker  is
looking for. too bad, they are lost.

> 
> Using span ports in a switch ?
> I don't think this solution will solve my problems... I've a very high
> traffic MAN.
and? if you have a so busy network, your firewalls are probably  already
under a heavy load. so you want to stress  them  more  by  adding  other
processes (snort and co.) that  will  fight  for  ressources  with  your
checkpoint?

I  don't  see  how  running  snort   on   a   cluster   (configured   as
active-passive) is better than dedicating a box to snort and plug in  it
on the network segments you want to monitor.

if performance is a problem, dedicate as much boxen as you need to snort
and use a hardware load balancer for example such as top layer.

if 'real time(tm)' is a problem, create IDS farms on the load balancer.
in this case, if one box in a farm fails, no pb. the traffic is still
monitored by other boxen in the same farm.

if running with a single load balancer is a problem, add another one and
configure them in active-passive mode.


> 
> 
> 
> 
> ----- Original Message -----
> From: "Patrice Boulanger" <pboulanger at ...7942...>
> To: "Federico Lombardo" <egopfe at ...125...>
> Sent: Monday, January 20, 2003 10:28 AM
> Subject: RE: [Snort-users] Snort in a H.A. environment.
> 
> 
> > Yes it's a stupid problem... I don't think it's a good idea to run snort
> on
> > your firewalls !
> >
> > -----Message d'origine-----
> > De : snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]De la part de Federico
> > Lombardo
> > Envoyé : lundi 20 janvier 2003 10:19
> > À : snort-users at lists.sourceforge.net
> > Objet : [Snort-users] Snort in a H.A. environment.
> >
> >
> > Hi all, I've a stupid problem.
> >
> > I've in a production scenario a checkpoint Firewall-1 Cluster-XL Firewall
> in
> > Active-StandBy configuration.
> >
> >
> > On the active Node-1 (active) i wanna run snort, and no problems with
> this.
> > The problema I want to solve is:
> >
> > How I can make possible to start snort on the other Node-2 when it became
> > active, and how to stop snort in Node-1 when it became standby ???
> >
> >
> > Every solution is appreciated.
> >
> >
> > Regards,
> >
> >
> > Federico
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> > are you planning your Web Server Security? Click here to get a FREE
> > Thawte SSL guide and find the answers to all your  SSL security issues.
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Saad Kadhi -- [saad at ...4401...] [saad.kadhi at ...7831...]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---




More information about the Snort-users mailing list