Where Should I Install Snort?
That depends on your goals. The more places you install Snort, the more visibility you will have over your network. It follows that you will also have more information to wade through and more administrative overhead. Now would be a good time to sit down and try to decide what it is that you're trying to accomplish with Snort. Do you want to see all the attacks that are being aimed at your network? Or only those attacks that are passing through your firewall? What about attacks launched against individual servers? There are several obvious locations to place your Snort sensors. Let's review them briefly.
Outside the Firewall?
A Snort sensor that is placed between your edge router and your firewall has the advantage that all traffic directed at your site is available to monitor. In order for your Snort sensor to see all traffic, you will need to use a hub or a switch with port-mirroring capability so that the sensor can monitor all traffic that would otherwise be addressed to your firewall or router.
The Snort sensor placed outside the firewall gives you an idea of what kind of traffic your firewall is or is not stopping. This dedicated sensor can monitor the network with the full ruleset because you're looking to catch all attacks launched against your network, and there are no services on the sensor to be impacted. The placement of a sensor outside the firewall is matched quite well with the next logical location.
Inside the Firewall?
A Snort sensor placed on your demilitarized zone (DMZ) behind the firewall will tell you what kind of traffic is actually being passed by your firewall. Match the logs from this sensor with the logs from the external Snort sensor, and you can use the collected data to validate your firewall's rulebase and fix any problems before they are exploited. This dedicated sensor can likewise run with the full ruleset.
On the Firewall?
Resources in every organization are tight, so you may not be able to allocate two boxes dedicated to determining what traffic is directed at your firewall, and what traffic is actually passing through your firewall. To economize, it is natural to consider running a Snort on the firewall itself. As long as you have the appropriate resources, you can run Snort with a full ruleset to catch traffic you may not think you are passing.
One tip to running Snort on the firewall directly is to point the Snort sensor at the internal interface because this is the more important of the two. Using Snort on the internal interface monitors traffic that has already passed through your firewall's rulebase or is generated internally by your organization.
On Each Server?
The advantage of deploying a lightweight IDS is that you can place sensors everywhere, including your production servers. Snort is flexible enough that you can disable various plugins or rules that are not important to the server that you are monitoring.
For instance, there is no need to include SQL, HTTP, or FTP rules on your mail server. Similarly, you do not need to look for HTTP Unicode exploits on a Linux-based Apache Web server. There is also no need to check packets for fragments or reassemble TCP streams if your DMZ servers are accessible only through reverse proxies on your firewall.
In the fifth article, we'll look at Snort Implementation on both UNIX and Win32 platforms, logging to a centralized console, and add-on utilities to help manage the logs.