[Snort-users] Snort Deployment

akos.daniel at ...14798... akos.daniel at ...14798...
Mon May 3 09:45:30 EDT 2010


Hi all,

In case of this Topic I can understand the answers, but is it considerable
to use IPS before the firewall as well?
I mean if I put the IPS behind the FW then I loose the monitoring for
attacks against the firewall. Today firewalls terminate many services like
sslvpn, ravpn, auth services... and for those services they have many
'shortcomings' (just an example is the Sockstress TCP DoS attacks).
What would be the best practice for an IPS topology?
If the firewall has not just 2 interfaces but many more DMZs then should
we implement as many IPS as many Firewall interfaces we have?
Is there a basic concept for the IPS topo or depends it always on the
business requirements /what the management want to protect.../ ?


> I usually recommend that people implement Snort behind a firewall.
>
> As for interfaces, 2 is a good start.  One for management, one for
> sniffing.
>  However, if you have a tap, you might need 3 depending on the model of
> tap.
>
> J
>
> On Mon, May 3, 2010 at 4:30 AM, Kum Weng Luey <kumwengluey at ...11827...>
> wrote:
>
>> Hi guys,
>>
>> I have been trying out snort for quite some time now and it works great.
>> I
>> do want to try implementing snort in a live environment but am kinda
>> clueless how. I want to sniff for traffic before it hits the firewall
>> and
>> enters the internal network. What would be the most optimal setup for
>> the PC
>> and how many interfaces do I need?
>>
>> Hope to get some advice. Thanks a lot.
>>
>> Regards,
>> KW
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list