Re: Snort sensor placement

From: Tom Lichti (tom@redpepperracing.com)
Date: 09/27/01


Date: Thu, 27 Sep 2001 16:25:28 -0400
From: Tom Lichti <tom@redpepperracing.com>
To: focus-ids@securityfocus.com
Subject: Re: Snort sensor placement
Message-ID: <190642303.1001607928@[10.10.10.160]>


Hey guys,

Thanks for all the tips, this is a great list. I think I will go with Dave
V's suggestion. I would like to see everything hitting my firewall (call me
paranoid) and I should be able to adjust the snort rules to my liking, if
it gets overwhelming.

The objective is twofold: 1) I would like to make sure I am protecting
myself in the best way possible, and 2) a learning exercise for myself.

I am very interested in network security, and have been for awhile, I just
never had the motivaation or time to really get into it. Now I've been on
the list for awhile, and reading about the current trends and issues, and
see it as an opportunity to add some more tools to my toolbelt. Plus, it
should make me more attractive to my employer!

It should be pretty obvious that I am doing this on my home network, so my
resources are somewhat limited, monetarily, more so than hardware, (as my
wife would assure you!) which explains why my switch is very basic, and my
snort hardware will be whatever I can build from the multitude of old parts
in the basement.

On a side note, Dave V, would you mind if I corresponded off-list directly
with you, to help me iron out some details? I'm sure the rest of the list
doesn't need to hear all that stuff.

Thanks again.
Tom

--On Thursday, September 27, 2001 5:39 PM +0100 Rui Lapa
<ruilapa@bigfoot.com> wrote:

> On Thu, 2001-09-27 at 16:49, Thiago Conde Figueiro wrote:
>>
>> I'd recommend putting it behind the firewall for a number of reasons:
>>
>> - your snort machine is less vulnerable
>
> Not quite true...
> Ever heard of receive only cables?
>
> http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/
>
> http://www.rware.demon.co.uk/ethernet.htm (10BaseT)
>
> First Rule of securing anything. Don't trust NO ONE!!!
> The intrusion maybe done from the insideout. Maybe is hidden in the
> bathroom with a wireless sniffing ;)
>
> If you are crazy enough you could put an IDS outside, an IDS inside for
> each segment, and the IDS between too static routes routers... between
> the other prementioned IDS's.
>
> You might want to check this practices:
> http://www.cert.org/security-improvement/modules/m08.html
>
> Second Rule of securing anything. Protect yourself!!
>
> --
> ---------------------------------------------------------------
> Rui Lapa SysAdmin
> ruilapa@bigfoot.com WebDeveloper
> ICQ#: 74501840 YahooM: ruilapa LinuxGeek
> ---------------------------------------------------------------
>



Relevant Pages