[Snort-users] Snort Deployment

Joe Pampel jpampel at ...14829...
Mon May 3 11:13:36 EDT 2010


Good questions.. :)

Perhaps the most general answer is that it comes down to your own security policy.

FWIW I've long been fond of putting sensors outside and inside. What's coming at you, and what is getting through? Trust but verify and all that...

A good tap makes this simple and you don't need lots of interfaces.   For example, I've good luck with these guys: http://www.vssmonitoring.com/products/a_taps.asp

You can tap a bunch of places and feed all of them into a single gig-E which then goes into your snort sensor. The tap has no L2 presence so it cannot be detected. If you have a good box for the sensor and not tons of traffic you can get by with 2 interfaces.

I do like watching traffic outside so I can see what's getting tossed at us. Granted most of it is automated, but there are some interesting events out there that the firewall logs would not ID with the same granularity.
I like the detail.

If you have inside and outside monitored, you don't really need DMZ since you already have DMZ traffic at your choke points (probably). Again, I am sure some folks do monitor every DMZ. No right or wrong, it all comes down to your policy.

Cheers,

Joe

-----Original Message-----
From: akos.daniel at ...14798... [mailto:akos.daniel at ...14798...]
Sent: Monday, May 03, 2010 9:46 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Deployment

Hi all,

In case of this Topic I can understand the answers, but is it considerable
to use IPS before the firewall as well?
I mean if I put the IPS behind the FW then I loose the monitoring for
attacks against the firewall. Today firewalls terminate many services like
sslvpn, ravpn, auth services... and for those services they have many
'shortcomings' (just an example is the Sockstress TCP DoS attacks).
What would be the best practice for an IPS topology?
If the firewall has not just 2 interfaces but many more DMZs then should
we implement as many IPS as many Firewall interfaces we have?
Is there a basic concept for the IPS topo or depends it always on the
business requirements /what the management want to protect.../ ?


> I usually recommend that people implement Snort behind a firewall.
>
> As for interfaces, 2 is a good start.  One for management, one for
> sniffing.
>  However, if you have a tap, you might need 3 depending on the model of
> tap.
>
> J
>
> On Mon, May 3, 2010 at 4:30 AM, Kum Weng Luey <kumwengluey at ...11827...>
> wrote:
>
>> Hi guys,
>>
>> I have been trying out snort for quite some time now and it works great.
>> I
>> do want to try implementing snort in a live environment but am kinda
>> clueless how. I want to sniff for traffic before it hits the firewall
>> and
>> enters the internal network. What would be the most optimal setup for
>> the PC
>> and how many interfaces do I need?
>>
>> Hope to get some advice. Thanks a lot.
>>
>> Regards,
>> KW
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).




More information about the Snort-users mailing list