[Snort-users] *very* many snort installations..

hugh_fraser at ...2804... hugh_fraser at ...2804...
Fri Nov 28 11:02:04 EST 2003

The host and network IDS's are different animals. Symantec (and several
other companies) offer a HID that monitors and enforces policies that
define how applications on the host behave. While this includes network
activity, it goes beyond that to include access to any resources on the
host. It's very different, but at the same time complimentary, to what a
NID does. Both provide valuable insight into what's happening in your
environment, and are indispensable when doing the forensic work your
talking about.

Deployment of NID technology on all workstations may provide more
resolution than you need if there are key network "hubs" in through
which all internal traffic passes. As always, start with the perimeter
firewalls, but also include dialup access points (i.e.. Citrix,
reachout, etc.). Internally, monitor the routers, hubs, firewalls, etc..
As well, monitor servers providing common networking services, such as
proxy servers. If you're running a switched network and using VLANs to
segment traffic, monitor systems that may straddle multiple VLANs, such
as domain controllers, dns or dhcp servers, etc.. With some up-front
effort, you may find that a much smaller deployment if NIDs can provide
you with the ability to track activity, without an overwhelming
infrastructure to manage.

In the same way, deploying a HID to 10,000 machines may also be
overkill. Again, the selection of key points to monitor may provide you
with the information you need.

Don't underestimate the impact of either of these technologies on the
systems to which they're deployed. HIDs, especially, may require
considerable amounts of hand-holding before they become invisible to the
end user. In anything other than vanilla applications that the HID
understands out of the box, it will need to be taught what to expect
before it can be deployed to provide non-noise information. And if
you're using them to enforce policies rather than just monitor for
violations, this training will be even more important unless your help
desk enjoys extra work.

Enforcement is the holy grail we're all looking for, since it's a
reality that you will at some point suffer an intrusion, and enforcing
policies (whether in a NID or a HID) is what will allow you to contain
the intrusion and limit the damage.

With regards to the collection of traffic from 10,000 machines,
hierarchical approaches need to be used to deal with the load. In a
large environment, it typically makes sense to have local collection
agents that do some form of filtering and correlation and forward
traffic on to higher levels that have a more enterprise view. This buys
you several benefits... Each local collection agent can be relatively
autonomous, giving you a degree of fault tolerance. It localizes
potentially heavy network traffic in the event of an intrusion. Finally,
it provides you with a scalable architecture that can be adapted to
arbitrary changes either in capacity or topology.

Hugh Fraser
Senior Technical Specialist
Dofasco Inc.

> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...294...] 
> Sent: Wednesday, November 26, 2003 6:01 PM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] *very* many snort installations..
> On Thu, 2003-11-27 at 04:46, Michael Steele wrote:
> > The solution is not to install Snort on every workstation.
> Strange - companies like Symantec would disagree with you. 
> They certainly think there's a future in host-based IDS.
> Of course, the IDS is easy - it's the centralised management 
> that's hard... How you handle 10,000 hosts all sending 100 
> alerts/sec to your central console when SLAMMER-IV hits one 
> machine is beyond me ;-)
> [to be fair, I'm confusing centralised management with 
> centralised logging here]
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program. 
> Does SourceForge.net help you be more productive?  Does it 
> help you create better code?  SHARE THE LOVE, and help us 
> help YOU!  Click Here: http://sourceforge.net/donate/ 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list