[Snort-users] Snort Sensor Placement Outside Firewall

Michael Steele michaels at ...9077...
Wed Jun 25 22:31:03 EDT 2003


You forgot to mention the time that may be involved in sorting through the
massive amount of data with a sensor on the outside.

What could be some of the possibilities that make that scenario a possible
solution, when the IDS could or should in most cases be placed on the near
side of the firewall?

--Michael Steele

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Erek Adams
Sent: Wednesday, June 25, 2003 8:48 AM
To: Rich Lichvar
Cc: Snort Users List (E-mail)
Subject: Re: [Snort-users] Snort Sensor Placement Outside Firewall

On Wed, 25 Jun 2003, Rich Lichvar wrote:

> I know this is a bit off-topic, but I need some advice/help and would like
> to tap the experience of those who probably have successfully done what we
> are thinking of doing.
> We are thinking of putting a Snort-based sensor outside our firewall in
> Untrusted zone. (This is after the border/edge/gateway router which is
> controlled by our hosting facility and not us.) I was wondering if any of
> you had any advice about:
> 1. OS: Linux? Hardened how? What system capacity (RAM, hard drive) might
> required?

OS:  Pick your OS.  Pick one that you know and know well.  You can't waste
time learning about an OS with an IDS.
Hardened:  Pick your hardening guide.  Cut off all services.  Use SSH for
management or a serial connection if you're really paraniod.
Capacity:  As much as you can.  Throw as much money at it as you can.
Fast HD to save data with plenty of busspeed.  v2.0 uses more memory than
previous versions, so use as much as you can.

> 2. Cabling setup: Internet Cat 5 cable to hub and cable from hub to sensor
> and cable from hub to Untrusted port of firewall? (I've tried this in the
> past and had problems with traffic even getting to the firewall. Maybe a
> crossover cable is needed?)

No crossover needed.  Just a 'normal' cable.  If you want to be 'extra'
safe, you might want to use a read only cable [0]


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.theadamsfamily.net/~erek/snort/ro_cable_and_hubs.txt

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list