[Snort-users] I've read FAQ; Need switch/hub advice.
Shaun T. Erickson
ste at ...11690...
Thu Apr 22 08:11:27 EDT 2004
I'm brand new to snort. I was just hired by a small firm to install it
on their networks. I'm reading the Syngress Snort 2.0 book now. I have
the 2.1 edition on order. I've read the FAQ section (1.8) on using snort
in a switched environment. Doing my best to come up to speed asap, as
they want it installed last month (of course).
Network setup: T1 coming in to a Cisco 2620, then on to a Sonicwall Pro
330. There is a DMZ net on the sonicwall, that uses real ip addresses.
The wan port of the sonicwall and the addresses in the DMZ are all on
the same subnet. The lan interface of the sonicwall is connected to a
linux iptables firewall with two internal lans connected to it. Each
network (DMZ, LAN1 & LAN2) has a dumb, unmanaged, 16-port 100Mb switch
From what I've read so far (having only started last night), I should
put snort on three systems: one for each net (DMZ and both LANs).
First question: I don't want to compromise throughput, so it seems like
the correct solution would be to replace the switches with managed
switches that can mirror all traffic to a monitoring port. *Is* that the
best solution? I don't want to tell them to spend money on something
they don't need.
Second question: If doing what I suggest, above, is the right solution,
can anyone recommend switches to me, that don't suffer from performance
degradation when mirroring the traffic to the monitoring port?
I really want to get this right, for two really important reasons: 1) I
want to do my best for my customer, and 2) this is my first paying job
since getting laid off a year and a half ago, and they have indicated
that if this trial month goes well, they may hire me as an employee, so
I *don't* want to fubar this.
Feel free to offer any advice/criticism you might think is pertinent to
my getting this job done right, including anything related to things
snort newbies frequently overlook or get wrong. :)
More information about the Snort-users