[Snort-users] IDS and Firewall

Matt Kettler mkettler at ...4108...
Wed Apr 28 08:07:00 EDT 2004

At 03:34 AM 4/28/2004, Kernel The Canine wrote:
>I'm running shorewall.net as my firewall, on RedHat
>linux box version 9.0
>Is it recommended to run on it snort (on the same box)
>or should I run it on another computer

Several user's replied citing resource problems doing this. However, nobody 
mentioned the obvious that every firewall admin should know.

SECURITY matters.

Never run any network applications on your firewall box. No mailservers, 
webservers, dns servers, and not snort either.

Why? Because if someone exploits snort (ie: the old stream4 vulnerability), 
or any other program on your firewall box, they now have control of your 
firewall machine. At that point, you have no firewall at all.

You really should treat a firewall box as a firewall-only system if you 
want it protect you in the event of an attack. Severs, IDS's, etc are best 
placed on other boxes so that an exploit of one doesn't bring the entire 
security of your network down as a hacker digs your firewall apart from the 
inside out. 

More information about the Snort-users mailing list