[Snort-users] Snort Placement

Paul Halliday paul.halliday at ...11827...
Sun Oct 10 17:03:21 EDT 2004


On 10 Oct 2004 15:34:49 +0200, Jose Maria Lopez <jkerouac at ...12346...> wrote:
> El sáb, 09 de 10 de 2004 a las 21:48, Paul Ryan escribió:
> > I was hoping to get input on the best placement of my snort box.
> >
> > This box is to be used to track traffic to the Internet from my corporate
> > LAN. The traffic traverses a PIX before hitting the Internet, subsequently
> > all outside destined traffic is NAT'd to one public IP.
> >
> > If I place on the outside of the firewall - all source IP's are the NAT,
> > which is useless is tracking offenders on my LAN.
> > Placing it before the PIX - brings up some challeges ...

How so? your pix must at some point be plugged into a switch or a
router. If it is a managed switch try a span port, if it is not tap
the line. Taps are really overpriced so just find yourself a nice
managed switch and intercept the line.  You can easilly watch all of
your internal traffic from the management port on the switch.

> >
> > The PIX has a Inside, DMZ and Outside interface.
> >
> > What do u think ?
> >
> > Regards,
> >
> > paul
> 
> If you really want to track the offenders in your LAN you need to place
> the snort sensor inside the firewall, but I would also put another
> sensor outside the firewall. This is my favorite configuration, because
> you have a sensor outside the firewall that can see all the attacks to
> your LAN and an inner one that only sees what's been let in by the
> firewall. The inner one it's the most important because it's telling
> you what attacks are bypassing the firewall, and the outer one can
> give you a good view of all the attacks you are having.
> 
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac at ...12346...
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
> 
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
> 


-- 
_________________
Paul Halliday
http://dp.penix.org

"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."




More information about the Snort-users mailing list