[svlug] running snort behind a firewall

[Wayne Earl]

Karen:

I considered doing this using OpenBSD (the OpenBSD bridging code is much
more stable; IMAO, the 2.4 kernel is far too raw to use in a production
environment yet). While I've not attempted to run snort this way, I have
run ipf as sort of a transparent firewall (which is a whole lot of fun to
do....makes script kiddies packets evaporate seemingly in mid wire ;-) )

Problem here is that I don't want to create a potential bottleneck in the
network. If I use a bridge, and that machine fails somehow (either through
hardware failure or being crashed intentionally), the entire network is
blocked. Makes a real convient target for a cracker that can somehow
target the bridge (Which is always possible, firewall or not). While this
network blockage might be desirable in some situations (in fact, I have designed several production areas to do this
intentionally), this is not appropriate in this particular instance.

On Tue, 20 Mar 2001, Karen Shaeffer wrote:
> Hi Wayne,
>
> You might look into the experimental ethernet bridging in 2.4.x kernels:
>
> Look in Configure.help:
>
> Frame Diverter (EXPERIMENTAL)
> CONFIG_NET_DIVERT
>
> Then you might be able to run snort on the bridge. How's that sound?
>
> c,
>

-- 
Wayne Earl
wayne at qconcepts.net