Snort mailing list archives
Re: Snort Placement
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 10 Oct 2004 15:34:49 +0200
El sáb, 09 de 10 de 2004 a las 21:48, Paul Ryan escribió:
I was hoping to get input on the best placement of my snort box. This box is to be used to track traffic to the Internet from my corporate LAN. The traffic traverses a PIX before hitting the Internet, subsequently all outside destined traffic is NAT'd to one public IP. If I place on the outside of the firewall - all source IP's are the NAT, which is useless is tracking offenders on my LAN. Placing it before the PIX - brings up some challeges ... The PIX has a Inside, DMZ and Outside interface. What do u think ? Regards, paul
If you really want to track the offenders in your LAN you need to place the snort sensor inside the firewall, but I would also put another sensor outside the firewall. This is my favorite configuration, because you have a sensor outside the firewall that can see all the attacks to your LAN and an inner one that only sees what's been let in by the firewall. The inner one it's the most important because it's telling you what attacks are bypassing the firewall, and the outer one can give you a good view of all the attacks you are having. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Placement Paul Ryan (Oct 09)
- Re: Snort Placement Jose Maria Lopez (Oct 10)
- Re: Snort Placement Paul Halliday (Oct 10)
- <Possible follow-ups>
- Re: Snort Placement Shawn Kottke (Oct 09)
- Re: Snort Placement Jose Maria Lopez (Oct 10)