The only drawback to this configuration is it introduces another point of
failure to your network. If for some reason the snort box fails, the network
is down. The upside is that you can use the Snort inline functions and
actually have snort stop some attacks. It really depends on what's more
important to your client. You could put an Ethernet tap in place of your snort
box, the tap is still a point of failure. But, in most cases the tap will
continue to pass data on the network, you just loose the monitoring ability.
I believe there are some papers on the Snort web site that talk about this.
Barry
stuff@trackingsolutions.ca wrote:
Does this configuration have any drawbacks for security, reliability or speed.
Internet --> modem --> router --> snortbox --> switch --> local network
Thanks
On November 27, 2005 04:42 pm, G Ramon Gomez wrote:
stuff@trackingsolutions.ca wrote:
The first scenario:
Internet --> Modem --> snortbox --> router --> local network
will not allow me to specify what machine is sending information. It would
just give me the ip of the router. Right?
If you're NATing, yes.
The second scenario:
Internet --> modem --> router --> snortbox --> switch --> local network
this scenario will allow me to monitor the activity from within the local
network.
Yes.
In the second scenario is it nessicary to run iptables or is iptables used
to route the traffic?
iptables would be used to provide the bridging, so it's needed.
Also I do see the value of squid to monitor the traffic to the web.
Ok. To "monitor the traffic to the web", you need some form of activity
logging. Furthermore, you need some form of data analysis to make sense
of the logs, unless you intend to manually review all of the log lines.
Within the context of data analysis of web logs, there are more tools
available to squid then there are to snort, because snort isn't meant to
do this type of work. Squid, on the other hand, is.
Unfortunately, I can't explain any better than this why you'd want to
use squid to monitor web activity. Using a proxy to audit user web
activity versus using an IDS for the same seems intuitive to me (unless
you're doing policy-based auditing, in which case you're not monitoring
*all* activity, just the activity that might violate policy).
- Ramon
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
