[Snort-users] Snort Deployment

Joel Esler jesler at ...1935...
Mon May 3 11:17:58 EDT 2010


Plugplugplug
http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall.html

<http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall.html>Food
for thought, I wrote this last year some time.  (Yes, the blog post is meant
to provoke a discussion)

J

On Mon, May 3, 2010 at 9:45 AM, <akos.daniel at ...14798...> wrote:

> Hi all,
>
> In case of this Topic I can understand the answers, but is it considerable
> to use IPS before the firewall as well?
> I mean if I put the IPS behind the FW then I loose the monitoring for
> attacks against the firewall. Today firewalls terminate many services like
> sslvpn, ravpn, auth services... and for those services they have many
> 'shortcomings' (just an example is the Sockstress TCP DoS attacks).
> What would be the best practice for an IPS topology?
> If the firewall has not just 2 interfaces but many more DMZs then should
> we implement as many IPS as many Firewall interfaces we have?
> Is there a basic concept for the IPS topo or depends it always on the
> business requirements /what the management want to protect.../ ?
>
>
> > I usually recommend that people implement Snort behind a firewall.
> >
> > As for interfaces, 2 is a good start.  One for management, one for
> > sniffing.
> >  However, if you have a tap, you might need 3 depending on the model of
> > tap.
> >
> > J
> >
> > On Mon, May 3, 2010 at 4:30 AM, Kum Weng Luey <kumwengluey at ...11827...>
> > wrote:
> >
> >> Hi guys,
> >>
> >> I have been trying out snort for quite some time now and it works great.
> >> I
> >> do want to try implementing snort in a live environment but am kinda
> >> clueless how. I want to sniff for traffic before it hits the firewall
> >> and
> >> enters the internal network. What would be the most optimal setup for
> >> the PC
> >> and how many interfaces do I need?
> >>
> >> Hope to get some advice. Thanks a lot.
> >>
> >> Regards,
> >> KW
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100503/cc114355/attachment.html>


More information about the Snort-users mailing list