Re: [Snort-users] Best Practices for external sensors
This is a discussion on Re: [Snort-users] Best Practices for external sensors within the Snort forums, part of the System Security and Security Related category; This is a multipart message in MIME format. --=_alternative 0049BDEA85256EB6_= Content-Type: text/plain; charset="US-ASCII" It ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-17-2004
|
|||
|
|||
Re: [Snort-users] Best Practices for external sensors
This is a multipart message in MIME format.
--=_alternative 0049BDEA85256EB6_= Content-Type: text/plain; charset="US-ASCII" It depends on your switch. Either use a switch where the mirror port cannot participate in LAN traffic (read-only) or use a passive TAP. This way, the sensor can see the traffic but cannot write packets that other nodes on the network will actually see. Make sure you can't communicate with other hosts on the external network. Todd Pratt Systems Security Certified Practitioner IT Security Administrator Harte Hanks, Inc. ph 978-436-3368 tpratt@hartehanks.com <jonasb@alum.rpi.edu> Sent by: snort-users-admin@lists.sourceforge.net 06/17/2004 09:04 AM To <snort-users@lists.sourceforge.net> cc Subject [Snort-users] Best Practices for external sensors I currently have a Snort infrastructure set up on my internal network with several sensors managed via SnortCenter, logging to a centralized MySQL DB. I am looking to deploy a sensor on our outside network (off of a mirrored port on a switch). There are several firewalls with outside interfaces on this switch. I'm trying to get an idea of the best/most secure way to funnel alerts/logs back into the network to our centralized logging server. I thought of some type of VPN tunnel inbound, but my concern is that if the sensor were to be compromised, there would be a direct path into the network. I obviously don't want to multi-home the sensor inside/outside. Is my best bet just to open up SQL connectivity from this external sensor to the inside DB on the firewall and stream the alerts that way? If so, does anybody know of a way of any type of wrapper that would encrypt these alerts? Thanks Brad --=_alternative 0049BDEA85256EB6_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">It depends on your switch. Either use a switch where the mirror port cannot participate in LAN traffic (read-only) or use a passive TAP. This way, the sensor can see the traffic but cannot write packets that other nodes on the network will actually see. Make sure you can't communicate with other hosts on the external network.</font> <br><font size=2 face="sans-serif"><br> Todd Pratt<br> Systems Security Certified Practitioner<br> IT Security Administrator<br> Harte Hanks, Inc.<br> ph 978-436-3368<br> tpratt@hartehanks.com</font> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b><jonasb@alum.rpi.edu></b> </font> <br><font size=1 face="sans-serif">Sent by: snort-users-admin@lists.sourceforge.net</font> <p><font size=1 face="sans-serif">06/17/2004 09:04 AM</font> <td width=59%> <table width=100%> <tr> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td valign=top><font size=1 face="sans-serif"><snort-users@lists.sourceforge.net></font> <tr> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td valign=top> <tr> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td valign=top><font size=1 face="sans-serif">[Snort-users] Best Practices for external sensors</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=3>I currently have a Snort infrastructure set up on my internal network with several sensors managed via SnortCenter, logging to a centralized MySQL DB. I am looking to deploy a sensor on our outside network (off of a mirrored port on a switch). There are several firewalls with outside interfaces on this switch. <br> <br> I'm trying to get an idea of the best/most secure way to funnel alerts/logs back into the network to our centralized logging server. I thought of some type of VPN tunnel inbound, but my concern is that if the sensor were to be compromised, there would be a direct path into the network. I obviously don't want to multi-home the sensor inside/outside. Is my best bet just to open up SQL connectivity from this external sensor to the inside DB on the firewall and stream the alerts that way? If so, does anybody know of a way of any type of wrapper that would encrypt these alerts?<br> <br> Thanks<br> Brad </font> <br> --=_alternative 0049BDEA85256EB6_=-- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
