[Snort-users] IDS and Firewall

James Riden j.riden at ...11179...
Wed Apr 28 16:20:06 EDT 2004


"Shaffer, Paul D" <paul.d.shaffer at ...178...> writes:

> Everyone responding to this thread seems to be preaching to the choir
> with an amazing grasp of the obvious.  But nobody bothered to ask the
> Kernel anything constituting a requirements definition - What is he
> trying to do?  What is his environment?  What equipment does he have
> available?

OP: 
=>Is it recommended to run on it snort (on the same box)
=>or should I run it on another computer

No, it's not recommmend, and yes the OP should run it on another
computer. Obviously, if s/he can't it's not the end of the world, but
s/he asked the question as if that was a possibility.

> Have you considered the possibility that dyed-in-the-wool dogma purveyed
> as gospel, may not be what he is looking for?  Maybe he wants some
> advice or examples of how a multi-purpose security device might be
> cobbled together and properly locked down with Linux? 

If you don't like the answer you shouldn't have asked the question :)

Seriously, I wouldn't run snort on a home firewall even. If you've got
a box you're protecting with the firewall, it's far better to put
snort on that. Have the fw as your prevention, and snort as your
detection.

Apart from security issues, a fw is a single point of failure for most
of us, so is best left to do just firewalling. Running snort will
typically need a lot more oomph than just running iptables, so it's
possible his firewall box isn't up to spec in that regard.

Plus, I don't care about the vast number of attacks and scans which
will be visible on the firewall but will be stopped by it. I only care
about packets which get inside the network.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-users mailing list