Re: Best Practices for external sensors

[Todd_Pratt () hartehanks com]

It depends on your switch.  Either use a switch where the mirror port 
cannot participate in LAN traffic (read-only) or use a passive TAP.  This 
way, the sensor can see the traffic but cannot write packets that other 
nodes on the network will actually see.  Make sure you can't communicate 
with other hosts on the external network.

Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com



<jonasb () alum rpi edu> 
Sent by: snort-users-admin () lists sourceforge net
06/17/2004 09:04 AM

To
<snort-users () lists sourceforge net>
cc

Subject
[Snort-users] Best Practices for external sensors






I currently have a Snort infrastructure set up on my internal network with 
several sensors managed via SnortCenter, logging to a centralized MySQL 
DB. I am looking to deploy a sensor on our outside network (off of a 
mirrored port on a switch). There are several firewalls with outside 
interfaces on this switch. 

I'm trying to get an idea of the best/most secure way to funnel 
alerts/logs back into the network to our centralized logging server. I 
thought of some type of VPN tunnel inbound, but my concern is that if the 
sensor were to be compromised, there would be a direct path into the 
network. I obviously don't want to multi-home the sensor inside/outside. 
Is my best bet just to open up SQL connectivity from this external sensor 
to the inside DB on the firewall and stream the alerts that way? If so, 
does anybody know of a way of any type of wrapper that would encrypt these 
alerts?

Thanks
Brad