[Snort-users] Snort Placement

Jose Maria Lopez jkerouac at ...12346...
Sun Oct 10 06:55:01 EDT 2004


El sáb, 09 de 10 de 2004 a las 21:48, Paul Ryan escribió:
> I was hoping to get input on the best placement of my snort box.
> 
> This box is to be used to track traffic to the Internet from my corporate
> LAN. The traffic traverses a PIX before hitting the Internet, subsequently
> all outside destined traffic is NAT'd to one public IP.
> 
> If I place on the outside of the firewall - all source IP's are the NAT,
> which is useless is tracking offenders on my LAN.
> Placing it before the PIX - brings up some challeges ...
> 
> The PIX has a Inside, DMZ and Outside interface.
> 
> What do u think ?
> 
> Regards,
> 
> paul

If you really want to track the offenders in your LAN you need to place
the snort sensor inside the firewall, but I would also put another
sensor outside the firewall. This is my favorite configuration, because
you have a sensor outside the firewall that can see all the attacks to
your LAN and an inner one that only sees what's been let in by the
firewall. The inner one it's the most important because it's telling
you what attacks are bypassing the firewall, and the outer one can
give you a good view of all the attacks you are having.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"





More information about the Snort-users mailing list