The advantage of deploying a lightweight IDS is that you can place sensorseverywhere, including your production servers. Using Snort on the internal interface monitors traffic that has alreadypassed through your firewall's rulebase or is generated internally by yourorganization. One tip to running Snort on the firewall directly is to point the Snortsensor at the internal interface because this is the more important ofthe two.
#HOW TO INSTALL SNORT ON PFSENSE TUTORIAL FULL#
As long as you havethe appropriate resources, you can run Snort with a full ruleset to catchtraffic you may not think you are passing. To economize, it isnatural to consider running a Snort on the firewall itself. Resources in every organization are tight, so you may not be able to allocatetwo boxes dedicated to determining what traffic is directed at your firewall,and what traffic is actually passing through your firewall. This dedicated sensor can likewiserun with the full ruleset. Inside the Firewall?Ī Snort sensor placed on your demilitarized zone (DMZ) behind the firewallwill tell you what kind of traffic is actually being passed by your firewall.Match the logs from this sensor with the logs from the external Snort sensor,and you can use the collected data to validate your firewall's rulebase andfix any problems before they are exploited. The placement of a sensor outside the firewall is matchedquite well with the next logical location. This dedicated sensor canmonitor the network with the full ruleset because you're looking to catchall attacks launched against your network, and there are no services on thesensor to be impacted. The Snort sensor placed outside the firewall gives you an idea of what kindof traffic your firewall is or is not stopping. Inorder for your Snort sensor to see all traffic, you will need to use ahub or a switch with port-mirroring capability so that the sensor can monitorall traffic that would otherwise be addressed to your firewall or router. Outside the Firewall?Ī Snort sensor that is placed between your edge router and your firewall hasthe advantage that all traffic directed at your site is available to monitor. Do you want to see all the attacks that are being aimedat your network? Or only those attacks that are passing through your firewall?What about attacks launched against individual servers? There are severalobvious locations to place your Snort sensors. Now would bea good time to sit down and try to decide what it is that you're trying toaccomplish with Snort. It follows that you will also havemore information to wade through and more administrative overhead. The more places you install Snort, the morevisibility you will have over your network.
0 kommentar(er)
