[Snort-users] Home_net/External Net question

Seth Art adidas30 at ...131...
Thu Sep 9 08:30:31 EDT 2004


Thanks John.  I am in fact not worried about
protecting the networks from each other.  I am much
more concerned with protecting each from the outside.




  
--- John Duksta <jduksta at ...11827...> wrote:

> On Wed, 8 Sep 2004 13:34:53 -0700 (PDT), Seth Art
> <adidas30 at ...131...> wrote:
> > Background:
> > 
> > I have 2 firewalls, each monitoring 3 subnets.
> > 
> > Subnets a, b, and c and VPN pool1 are going
> out/coming
> > in though firewall one.
> > Subnets d, e, and f and VPN pool2 are going
> out/coming
> > in though firewall two.
> > 
> > On my sensor inside of Firewall 1 HOME_NET is
> > [a,b,c,vpnpool1]
> > On my sensor inside of Firewall 2 HOME_NET is
> > [d,e,f,vpnpool2]
> > 
> > EXTERNAL_NET on both are !$HOME_NET
> > 
> > a) keep the home_nets the same but make a new
> variable
> >  called entire_home_net and include all 6 subnets
> and
> > both vpn pools and negate THAT for the
> external_net
> > 
> > b) add subnets a-f and both vpn pools to the
> home_net
> > var on each sensor (i don't think so)
> 
> With the way the majority of the stock snort rules
> are written
> (EXTERNAL_NET -> HOME_NET),
> option a and option b end up being essentially the
> same. For option a,
> if you have traffic going
> from net C to net F, it's not going to trigger a
> rule because you
> won't get an address match ( C -> F
> is HOME_NET to ENTIRE_HOME_NET, thus no match.)
> 
> You're really going to have to make this
> determination based upon your
> security policy. Do you
> consider each environment (Nets A,B,C,VPN Pool1 and
> Nets D,E,F, VPN
> Pool 2) to be a threat
> to each other? Are there resources in each group
> that need to be kept
> separate or are these
> just two different sites, each with the same kind of
> users and
> security policy and traffic flowing
> freely between them? If the latter, I would
> recommend adding all your
> possible networks (A-F,
> VPN Pools 1 and 2) to your home net to reduce your
> FPs.
> 
> HTH,
> 
> -j
> 
> -- 
> John Duksta <jduksta at ...11827...>
> Can't sleep, clowns will eat me.
> 
> 

=====


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list