Archived from groups: comp.security.firewalls (More info?)

Been researching a lot of firewalls, pricing them
on Ebay, reading till my eyes water.

Snapgear seems a decent firewall being based on
a Linux kernel which inherently allows a great
amount of configuration.

Any readers here know if SNORT can be incoporated
into or used with a Snapgear firewall?

Lot of information related to Snapgear and SNORT here:

http://www.cyberguard.com/snapgear [...] e=1&file=1

There is more than enough information about SNORT
and just as much about Snapgear Linux firewalls.
However, I am not having much luck finding needed
information about using Snapgear and SNORT, together.

Currently I am running SNORT on a stand-alone machine
but would like to move to a self-contained firewall
and incorporate SNORT into or with the firewall.

Appears SNORT needs to be machine based and used
with third party software to "talk" to Snapgear
for react blocking, via a serial port. That is
about all I have found in the line of information,
which is not enough!

Anyone have experience with Snapgear and SNORT?

Not the new PCI card running SNORT, but rather
the old fashion Snapgear boxes, like the 5
series or their Pro series, two ethernet port
boxes with a serial interface.


Thanks,


Purl Gurl

Archived from groups: comp.security.firewalls (More info?)

>
> Anyone have experience with Snapgear and SNORT?
>

Not specifically. What I have done in the past is to place a extra dumb
repeating-type hub (no switches) in front of my firewall device, then run
your WAN from the firewall into that hub. On your snort box have an extra
unnumbered interface that also runs into the 'external' hub. Connect the
snort boxes numbered interface into the internal network.

The hub will 'distribute' the raw traffic as needed.

Archived from groups: comp.security.firewalls (More info?)

W.B wrote:

(snipped)

> > Anyone have experience with Snapgear and SNORT?

> Not specifically. What I have done in the past is to place a extra dumb
> repeating-type hub (no switches) in front of my firewall device, then run
> your WAN from the firewall into that hub. On your snort box have an extra
> unnumbered interface that also runs into the 'external' hub. Connect the
> snort boxes numbered interface into the internal network.

> The hub will 'distribute' the raw traffic as needed.

Thanks, W.B.

I am not having much luck finding information on
using Snort with a firewall. I did make note
Snapgear now has a new firewall out with Snort
incorporated into the operating system. However,
it is very expensive firewall. They also have
a PCI card out now equipped with Snort.

Problem is Snort being a passive method. At least
one hostile data packet must be allowed to detect.
Later, an ip address can be blocked. For some very
fast systems, Snort can block but not all the time;
there is a race between receiving and doing a reset.

Even with a stand-alone box before your server,
this race condition still exists. With a machine
loaded with Linux, it is just as effective to
Snort sniff and enter ip address blocks by hand.

As you indicate, there is a challenge "wiring" Snort
to talk to a firewall, and you need to be "in front"
of the firewall or address a firewall operating system
directly, like through a serial port. Still, it is a
passive method requiring passage of at least one
hostile packet.

This is most complicated and requires duct tape and
baling wire!

Thinking a good approach will be to wait and watch
Ebay for Snapgear's SME unit to come down in price.

Thanks for your input,

Purl Gurl
--
Amazing Perl Scripts!
http://www.purlgurl.net/~callgirl/android.html

Archived from groups: comp.security.firewalls (More info?)

>
> I am not having much luck finding information on
> using Snort with a firewall.

Both SmoothWall www.smoothwall.org and IPCop www.ipcop.org are two very good
firewalls and they both use Snort. Worth looking at, and gives you so much
more in protection and flexibility for a low price than all the
"all-in-a-box" devices.

John Morten

Archived from groups: comp.security.firewalls (More info?)

John Morten Malerbakken wrote:

> > I am not having much luck finding information on
> > using Snort with a firewall.

> Both SmoothWall www.smoothwall.org and IPCop www.ipcop.org are two very good
> firewalls and they both use Snort. Worth looking at, and gives you so much
> more in protection and flexibility for a low price than all the
> "all-in-a-box" devices.


Thank you, John!

I have downloaded all documentation from both sites.
At first glance, both systems appear very nice.

Your article pushes me back towards buying a used
machine off Ebay, and loading it with one of those
two systems. I bought a brand new Dell XPS 800 recently
for under three-hundred dollars, at Ebay. It is a
dedicated server machine now, Apache, Email, DNS...

Based on short reading of both systems, it does appear
either system could be easily configured to "fit" just
about anywhere in a network, transparent or NAT usage.

Best feature is Snort. Using your suggestion, I could
unload Snort from our server, then install a firewall
machine "ahead" of server which will allow Snort to work
with react block, much better. Use of iptables will be
a lot easier as well, plus using a firewall machine
will significantly lessen our server resource usage.

Few hundred for a machine, couple of cheap NIC cards,
free software, all resulting in security better than
high end firewalls. Reads to me to be a real bargin,
especially with either system being so easy to install.

I have been researching firewalls for months and never
turned up those sites via Google. Sure glad you jumped
in here and provided links.

John, thank you for your suggestion. Looks I will be
able to save a lot of money and have a better system!


Purl Gurl