Snort Location

Location, location, location

What Snort monitors depends on where it is on your network. A diagram of a typical network is shown in Figure 2-1. Like most, this network uses a firewall to split Internet facing servers into a DMZ, and keeps end-user workstations and internal servers in a NAT network.

• A DMZ (De-Militarized Zone) network is a kind of limbo, a neither here nor there zone that has tight controls on what network traffic goes in and what comes out. Traditionally, it’s a semi-trusted network where publicly facing Internet servers reside.

• NAT stands for Network Address Translation, a way to hide multiple machines using private IP space behind a much smaller chunk of public IP space. With NAT, your end-user workstations and internal file servers can initiate outgoing Internet connections, but other hosts on the Internet can’t initiate connections the other way.

Keeping servers in a DMZ keeps your NAT network secure. If one of your Internet-facing servers in your DMZ is cracked, the damage should be limited because the hacker can’t get out of the DMZ to your internal network.

Covering your assets

If your network is for a business or other organization that uses the Internet, network Internet access probably is critical to your business operating smoothly. Even e-mail can be vital to day-to-day operations, so keeping these servers safe is key. If you have publicly facing Internet servers in a DMZ, watch here for trouble: Internet access to your servers means that you can tell the entire world about www.yoursite.com, but the entire world can poke, prod, and tickle your servers, too.

 Remember  Any place you have publicly facing Internet servers is a place for Snort.

If you use a separate DMZ network, you must do the following:

• Designate a port on your DMZ switch as a monitoring port.

• Tell your snort.conf file that you want to monitor this subnet.
  

  After watching this traffic for a while, you start to see alerts for Web server attacks and attempts to squeeze your servers for network information. Keep an eye on Snort’s alerts and start trimming your configuration to reduce false positives (we cover this in Chapter 9).

  Monitoring your DMZ alerts you when someone attacks a server and tells you whether an already compromised server is attacking other servers in the DMZ. This information is critical to network forensics (covered in Chapter 10).

  Seeing who isn’t on the guest list

  In almost every case, you should monitor unfiltered Internet traffic. This traffic is directed at your network, but hasn’t had a chance to be rejected by your firewall. Though most bad traffic gets the boot from your firewall and never touches the protected parts of your network, it’s nice to see that traffic is. If your boss ever wants stats on how well your firewall is doing its job, this is one great resource.

  Figure 2-1 shows a switch in between the router and firewall. Although this isn’t necessary, it’s usually helpful to have unfiltered IP space for network troubleshooting. If there’s a switch in front of your firewall, but you can’t designate a monitoring port on it, throw a hub between your router and switch. This lets you plug your Snort sensor in front of the firewall; for many sites, it won’t introduce any bottlenecks. (A T1 line is only 1.54 Mbps, and even the cheapest hub handles 10 Mbps.)

  If you monitor unfiltered Internet traffic, you see a lot of alerts. You should see a slew of such attack alerts as

  • Port scans that never make it past your firewall

  • Random worm activity directed at hosts that don’t exist

  This data is proof that your firewall is doing its job.

  Keeping tabs on the inside

  Although it seems logical that you’d want to use Snort to monitor your internal NAT network filled with end-users and file servers, we don’t recommend it until you’ve gained some experience scaling and tuning your Snort system for a couple of reasons:

  • Bandwidth: Internal LANs typically run at 100 Mbps to ensure fast access to internal file servers or databases. Compare this to the size of the pipe from the Internet to your DMZ. If every host on your internal network has a 100 Mbps dedicated pipe (thanks to the magic of modern switches, this is now the norm), your Snort system must watch a lot of traffic at once. This is possible with Gigabit Ethernet interfaces and systems with really fast processors, but your super-fast Snort system may be pushed to its limits.

  • False positive alerts: Snort has a built-in notion of us vs. them, which is most evident in the snort.conf settings var HOME_NET, and var EXTERNAL_NET. Snort has a very hard time correctly differentiating between legitimate internal network traffic and hostile attacks. You can get around this by setting both variables to any, but it doesn’t change the fact that Snort is looking for attacks. Snorts default set of rules assumes that your HOME_NET needs to be protected from your EXTERNAL_NET.

   Tip  If your system can handle watching the big bandwidth of a LAN, Snort is your best friend for monitoring internal LAN traffic. Watching internal LAN traffic can be a great way to make sure that your users are sticking to the network policy if you have

  • A high-performance Snort sensor with CPU cycles and RAM to spare

  • A highly tuned rule set

    Your highly tuned rule set should include rules that you develop yourself.