[Snort-users] Placing Snort

Matt Kettler mkettler at ...4108...
Wed Sep 1 08:56:43 EDT 2004


At 05:30 AM 9/1/2004, Chandana Bandara wrote:
>I implemented snort in this way .
>
>
>Internet ---------------> Router -----------------------> Firewall 
>---------------------> Snort--------------------> switch -----------------> LAN
>
>am i correct ?

That would imply there's one right answer.


Behind the firewall generally a pretty good place for a "low noise" 
monitoring station, as it's only going to see things making it past your 
firewall. It's also the lowest risk as it's harder for an attacker to 
target the snort box.

Some people put their snort sensor in front of the firewall so they can 
monitor all attacks, including those blocked by the firewall. You get a 
better view of what's going on, but a lot of noise too. You also have to be 
rather careful in the setup of the snort box, or use a one-way tap, to 
prevent attackers from exploiting you snort box and having a very nice 
session-hijacking tool at their disposal.

Typically boxes using an out-front tap have a second management interface 
going back to the lan switch so you can connect to acid, etc.

A drawing of this arrangement commonly looks like this:

                                                         (sniffing-only) 
(management)
                                                    +--------------------------------snort 
-------------------------------+
Internet ---------------> Router ---------TAP--------------> Firewall 
--------------------------------------> switch -----------------> LAN

In case that's mis-aligned, here's one that's spaced for fixed-width fonts:
                                                        (sniffing-only) 
(management)
                                            +--------------------------------snort 
------------------------------+
Internet ---------------> Router ---------TAP--------------> Firewall 
--------------------------------------> switch -----------------> LAN





More information about the Snort-users mailing list