SNORT & NAT Routing

[UrlFlynn]

Anyone using a Linux box with Snort for IDS and also using a broadband gateway router, such as NetGear RT series?

Would you place the IDS on the WAN side or the LAN side of the router?

Just curious, I'm trying to find the best method of deployment.

Cheers,

Url

[obi]

Depends on your configuration....

If you have a switched network, something like this....


WAN --- Router --- Hub --- Switch --- Servers/Systems
...............................|
......................Snort System

If you have a non-switched network, install it on your hub.


Or, you can use it for firewalling and install it inline between the router and your hub/switch.

cheers

[petemcevoy]

I would place it on the inside of your router, but i'd be careful, snort doesn't work on all switched networks - you need to make sure your switch can mirror traffic. Have look at snort.org for more info.

[ivan37]

I know on at least the SMC barricades, there is the option of setting up an inside address as the DMZ (or default computer). That is, any traffic not expressly routed elsewhere will go to that computer (which is nice for an IDS).

[UrlFlynn]

Thank you all for the posts. I think I'm inclinded to go with the suggestion of using the DMZ, i.e., a single host that all traffic is routed through. This is where I'll put snort.

Cheers,

Url

[NeroNerd]

Does Snort really work... What about Snort on a Windows box?

[obi]

Snort works very well, and is available for windows.

cheers