[Snort-users] Snort Sensor Placement Outside Firewall

Erek Adams erek at ...950...
Wed Jun 25 08:50:06 EDT 2003

On Wed, 25 Jun 2003, Rich Lichvar wrote:

> I know this is a bit off-topic, but I need some advice/help and would like
> to tap the experience of those who probably have successfully done what we
> are thinking of doing.
> We are thinking of putting a Snort-based sensor outside our firewall in the
> Untrusted zone. (This is after the border/edge/gateway router which is
> controlled by our hosting facility and not us.) I was wondering if any of
> you had any advice about:
> 1. OS: Linux? Hardened how? What system capacity (RAM, hard drive) might be
> required?

OS:  Pick your OS.  Pick one that you know and know well.  You can't waste
time learning about an OS with an IDS.
Hardened:  Pick your hardening guide.  Cut off all services.  Use SSH for
management or a serial connection if you're really paraniod.
Capacity:  As much as you can.  Throw as much money at it as you can.
Fast HD to save data with plenty of busspeed.  v2.0 uses more memory than
previous versions, so use as much as you can.

> 2. Cabling setup: Internet Cat 5 cable to hub and cable from hub to sensor
> and cable from hub to Untrusted port of firewall? (I've tried this in the
> past and had problems with traffic even getting to the firewall. Maybe a
> crossover cable is needed?)

No crossover needed.  Just a 'normal' cable.  If you want to be 'extra'
safe, you might want to use a read only cable [0]


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.theadamsfamily.net/~erek/snort/ro_cable_and_hubs.txt

More information about the Snort-users mailing list