[Snort-users] IDS placement

Michael Boman michael.boman at ...4162...
Mon Jul 7 00:34:04 EDT 2003


On Mon, 2003-07-07 at 14:48, Always Bishan wrote:
> Now the queries are:
> 1. What would be the best place to deploy Snort
> sensors and Manager? PLease do send your expert
> commnets!

It all depends on what you want to detect. If it is attacks from the
internet and between the different zones you are worried about I'd put a
snort instance for each interface on "IPtables Firewall" box.

If you are worried about attacks within each zone I can't give you any
advice that doesn't cost you (or your client) any extra.

> 2. The switches don't have a port mirror, so how do I
> monitor traffic there?

Well, you can't unless you change the switch for a hub...

> 3. What changes shall I make in the network diagram to
> implement the best possible solution?

Hard to say as the intent of the zone is not very clear.

> Note: Client doesnot want to spend anything extra on
> hardware.

Then you have to make compromises with the design and setup. Life in
IT/Security seems to be all about compromises now days..

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030707/e2c25ac2/attachment.sig>


More information about the Snort-users mailing list