I'll soon (hopefully!: the current security arrangment is HORRIBLE), a 3 legged firewall (ie: with a DMZ) and I was wondering if there would be anything wrong to setting up snort on the firewall itself (the internal network is switched and DMZ will most likely be too...)?
Follow up on that would be how much processing power would be necessary for that firewall (OpenBSD 3.0 with pf) running snort and serving arround a 100 hosts maximum (average would probably be 35 outgoing connections at a time) ?
Other setup suggestions appreciated too...
March 4th, 2002, 11:29 PM
On a switched network (with any products from the "Big Players" )you should be able to select at least one port on the switch to recieve a copy of all traffic, that way you can run a packet sniffer/IDS like snort.
I am not sure how much luck you would have running your IDS on the firewall. I played with snort once, running on a box running ipchains(or was it tables... I forget) with a locked down ruleset, and I had a lot of trouble with it. The firewall rules seemed to be blocking all the traffic that I wanted to look at. I didnt play with it for long, I simply wiped the machine and reinstalled the OS, then put snort on it, and removed the IP address from the interface which was attached to the network, so it wasnt available to anyone on the internet.
My guess is, that since snort wants to put the interface into promiscuos mode, it doesnt enjoy being on a firewall, because the purpose of the firewall is to prevent traffic from passing to applications behind it.
I would think your best bet would be to figure out how to span the ports on your Switches...
March 13th, 2002, 11:09 PM
Or use a hub on the uplink port (or an optical splitter for fiber) to capture. I tend to not like to use the port mirroring capabilities of most switches cause depending on the amount of traffic that can cause problems.
I wouldn't recommend using your firewall/IDS on the same box.
March 20th, 2002, 10:53 AM
try downloading IDServe from the web
March 20th, 2002, 02:38 PM
Banana> IDServe has absoutely NOTHING to do with this thread. What is your infatuation with GRC programs? Please, learn what they are before you recomend them.