April 23rd, 2005, 12:15 AM
Snort box placement
Long time lurker, first time poster
I work for a small business (around 70 employess) and in order to enhance the security of our network I am going to be installing a dedicated Snort box. I am fine and dandy on the installation and implimentation of Snort, but I'm more conflicted as to the placement of the box and have several related and non-related questions.
Currently, we have a hardware firewall with a built in DMZ port, where our web server resides. The firewall is pretty much locked down and has done much to keep attackers out. Logs from the firewall are being sent to one of our Linux servers and are monitored/checked 2-3x a day.
We (our IT department) have already decided that it would be more beneficial for the Snort box to be inside the network to view what actually makes it past the firewall as we feel a hardware solution should be our first line of defense, plus we're already seeing what is hitting our firewall. Questions: Is this sound reasoning? Should we place the Snort box on the outside instead? Should we have one on the inside AND the outside (this seems like overkill for a network of our size)?
Assuming that we put the box on the inside, which of the following traffic flows make more sense:
- >>> DMZ with Webserver
->>> Snort Box >>>>>>>> Internal Network
Hardware f-wall >>> Snort Box >>> Web server >>> secondary firewall/snort box >>> internal network
In the first implimentation, we would lose the Snort capabilities for traffic going to our webserver which I don't like very much, but we wouldn't have to create a second firewall snort box to impliment the DMZ as we would in the second implimentation.
Is there a better way to do this? Usually the setup is more straightforward, but considering the size of our business network, it makes things a little more complicated as there are several options to choose from.
Thanks in advance for your help/answers and I hope I can become a positive member of the AO community.
Blankety Blank Blank Blank!