[Snort-users] IDS and Firewall

Matt Kettler mkettler at ...4108...
Wed Apr 28 18:46:04 EDT 2004

At 09:20 AM 4/28/2004, Kernel The Canine wrote:
>Im talking from Security point of view
>which is better
>1) to run it on a separate machine
>2) or on the same Firewall machine

 From a security point of view, definitely on the separate box. Preferably 
using a network tap out front  for sensing and having a second management 
interface in a DMZ somewhere.

If you've got the resources, you're always better off in terms of security 
by isolating systems from each other. Think about the concepts behind 
having a DMZ. Heck, If we all had infinite firewall ports with infinite 
bandwidth available, we'd be firewalling every computer in our networks 
from each other.  It would make good sense from a security standpoint, but 
would be rather expensive.

Even Paul Shaffer, who spoke out about me being overly strong in my 
warnings, appears to agree that running snort and a firewall on the same 
box is a compromise for cost reasons.

Personally, I'm of the opinion it's not worth considering at all, even in a 
cost crunch, but that's an opinion based on my own network designs and 
threat models. There are others (ie: Paul) who feel it's better to make the 
compromise in order to gain the benefits of having an IDS on hand. (and 
having an IDS does help teach you patterns of attack, which in turn helps 
you strengthen your firewall, so I will agree that Paul's opinion has a lot 
of validity, it's just not my opinion).

More information about the Snort-users mailing list