[Snort-users] IDS and Firewall
mkettler at ...4108...
Wed Apr 28 18:46:04 EDT 2004
At 09:20 AM 4/28/2004, Kernel The Canine wrote:
>Im talking from Security point of view
>which is better
>1) to run it on a separate machine
>2) or on the same Firewall machine
From a security point of view, definitely on the separate box. Preferably
using a network tap out front for sensing and having a second management
interface in a DMZ somewhere.
If you've got the resources, you're always better off in terms of security
by isolating systems from each other. Think about the concepts behind
having a DMZ. Heck, If we all had infinite firewall ports with infinite
bandwidth available, we'd be firewalling every computer in our networks
from each other. It would make good sense from a security standpoint, but
would be rather expensive.
Even Paul Shaffer, who spoke out about me being overly strong in my
warnings, appears to agree that running snort and a firewall on the same
box is a compromise for cost reasons.
Personally, I'm of the opinion it's not worth considering at all, even in a
cost crunch, but that's an opinion based on my own network designs and
threat models. There are others (ie: Paul) who feel it's better to make the
compromise in order to gain the benefits of having an IDS on hand. (and
having an IDS does help teach you patterns of attack, which in turn helps
you strengthen your firewall, so I will agree that Paul's opinion has a lot
of validity, it's just not my opinion).
More information about the Snort-users