[Snort-users] Snort in front of WAF or behind?

Joel Esler jesler at ...1935...
Tue Feb 2 19:03:25 EST 2010


My opinion is, if you can let another tool do some work, let it. Let  
snort concentrate on what gets through.

--
Joel Esler
302-223-5974
Sent from my iPhone

On Feb 2, 2010, at 5:24 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448... 
 > wrote:

> I’m putting in a WAF in the next two weeks, and I’m deciding on  
> where to put it, in front of my network tap with Snort, or behind th 
> e network tap with Snort.  I’m thinking it’s better to put it in  
> front of the network tap with Snort, and let the WAF do the inspecti 
> on, filtering and alerting of HTTP(S) traffic.  A couple of benefits 
>  of doing it this way that I see:
>
> 1. WAF will know more about how the HTTP applications are configured  
> and what is good and what is bad input.
> 2. It will decrease the load (marginally) on the Snort box, since it  
> won’t have to inspect the traffic that is already going to be filter 
> ed at the WAF.
>
> Anybody have input on this scenario?  It seems just like the “Snort  
> in front of the firewall or behind the firewall” debate… but I  
> might be missing something.
>
> --
> Shawn
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the  
> business
> Choose flexible plans and management services without long-term  
> contracts
> Personal 24x7 support from experience hosting pros just a phone call  
> away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100202/88923c73/attachment.html>


More information about the Snort-users mailing list